Changelog
What's shipped recently
Notable changes in plain English. Source, issues, and release detail live in the open-core repository.
-
AI model scanning reads inside zip-container checkpoints
PyTorch has saved .pt/.bin as a zip archive since 2020, with the pickle nested at archive/data.pkl — the format ~99% of Hugging Face models ship in. Chainsaw now unwraps the container before the pickle scan, so a malicious os.system buried inside a real checkpoint is caught, not just hand-crafted raw .pkl files. The opcode walker also models the pickle stack and memo, closing STACK_GLOBAL and byte-encoded-module evasions that dodge a naive text scan.
-
One-command guard setup, plus an honest first run and doctor
chainsaw guard init --install writes the guard hook into your shell rc in one command — no copy-paste. guard update now shows live download progress so a slow dataset pull doesn't read as a hang. The first-run telemetry prompt defaults to yes with a plain-language disclaimer of exactly what's shared, and stays silent in CI. doctor's manager table is realigned and now reports a 'shim' state, so a manager protected by the shell guard no longer reads as unprotected.
-
Linux distro CVE detection — Alpine, Debian, Red Hat, Oracle Linux
Native CVE detectors per distro, with each stream updating on its own cadence — distinct from upstream OSV. A vendor advisory becomes a block-list entry the same hour the distro publishes it. Modular ingest means an Alpine stall doesn't hold up Red Hat coverage.
-
Bundled Hugging Face malware feed
Native HF coordinate-match feed shipped in-process — closes the gap where public SCA indexes lag on model-repo malware. Lookup is constant-time at resolve; a hit drops trust score to -100.
-
chainsaw doctor verify-hook and doctor logs
Two new CLI subcommands. verify-hook detects client-side install-hook bypasses — a developer skipping the proxy via .npmrc edits or env overrides now shows up in doctor output. doctor logs surfaces operator-actionable WARN lines from the server so on-call doesn't have to grep raw stdout.
-
Docker OCI inspector and Swift git-fallback ON by default
Per-layer image inspection and Swift's git-tag fallback no longer need an opt-in flag. New deployments get container depth and Swift coverage out of the box. Existing installs keep their explicit config; the default only changes when the flag is unset.
-
Silent-success write telemetry + SQL tripwire
published_to_inventory counters, drop counters, and a SQL tripwire fire when a write looks like it succeeded but didn't land. Six operator log lines were promoted DEBUG→WARN so the cases that used to need code-reading now show up in doctor logs.
-
VEX-aware exception CLI
chainsaw exception create now accepts --cve, --decision, and --vex-note. Exceptions carry VEX semantics — not_affected, affected, fixed, under_investigation — so the audit log answers vendor questionnaires directly.
-
chainsaw cargo-credentials — credential provider for cargo 1.74+
Cargo's native credential-provider protocol now has a first-class Chainsaw integration. No more .cargo/config.toml token-in-plaintext patterns; the provider sources credentials from the OS keyring.
-
Supply-chain attack signals catalogue
Install-script exfiltration, maintainer takeover, version anomalies, hidden Unicode, publish-velocity bursts, reserved-namespace dependency confusion, Docker malware feed, per-layer image enforcement, APT/Yum/DNF hash-chain provenance, typosquat across 15 ecosystems including Go, CocoaPods, and GitHub Actions, repo liveness plus ownership match, and checksum fail-closed enforcement — 25 signals total, composable in a single policy. Four run on every ecosystem (CVE, license, reserved namespaces, trust score); the rest light up where each registry exposes the metadata we need. See our per-ecosystem coverage matrix for the full grid.
-
Browser-based CLI login with Turnstile
chainsaw auth login now opens a browser to the dashboard and uses a device-code flow with Cloudflare Turnstile to block automated login attempts. Works on headless shells via a short code; works on desktop via redirect. Tokens land in the OS keyring — macOS Keychain, Windows Credential Manager, Linux secret-service.
-
Cross-platform CLI binaries
Builds for macOS (Intel and Apple Silicon), Linux (x86_64, arm64), and Windows (x86_64), each with a published SHA-256 checksum for download verification. The server URL can be baked into the binary at build time for air-gapped shipping. Sigstore-signed releases follow once the release-signer bot is provisioned.
-
Strict JWT mode is now default
Chainsaw refuses to boot without CHAINSAW_JWT_SECRET or a persistent store to hold a generated secret. Multi-replica deployments are safer out of the box. Single-process dev still works with CHAINSAW_STRICT_JWT=0.
-
FORCE_HTTPS scheme upgrade for CLI auth
The CLI login URL now honours FORCE_HTTPS. Reverse-proxied Chainsaw deployments with TLS termination upstream no longer emit http:// redirects.
-
Web UI URLs resolved via NEXT_APP_BASEPATH
Dashboard URLs printed by the CLI during auth now respect NEXT_APP_BASEPATH and CHAINSAW_WEB_UI_URL, so Chainsaw deployments on a subpath or a custom domain get correct browser links.
Want the whole history?
CHANGELOG.md in the repo
Every release, every PR, every behaviour change — with engineering-level detail. The repo CHANGELOG uses Keep a Changelog format.