0.128.0

What's Changed

• feat(aws): ingest flattened billing, encryption, and stream properties by @Tushar240503 in #2198
• chore: disable stale on issues by @jychp in #2322
• fix(ontology): enable PublicIP sync in ontology orchestrator by @jychp in #2324
• feat(scaleway): add iam policy support (+ small fix) by @EmFl in #2295
• chore: bump protobuf from 6.33.2 to 6.33.5 by @dependabot[bot] in #2323
• chore(ci): remove pip ecosystem from Dependabot by @jychp in #2319
• chore: bump types-requests from 2.32.4.20250913 to 2.32.4.20260107 by @dependabot[bot] in #2328
• chore: bump black from 25.12.0 to 26.1.0 by @dependabot[bot] in #2330
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2325
• chore: bump shibuya from 2025.12.17 to 2026.1.9 by @dependabot[bot] in #2329
• feat(ontology): add image-related ontology labels to ECR entities by @jychp in #2318
• chore: bump packaging from 25.0 to 26.0 by @dependabot[bot] in #2327
• docs(rules): add autodoc for rules module by @jychp in #2321
• chore: bump the minor-and-patch group with 12 updates by @dependabot[bot] in #2326
• feat(metrics): add resource count metrics to load operations by @jychp in #2331
• feat(rules): Google Workspace CIS benchmarks by @kunaals in #2197
• feat(rules): GCP CIS benchmarks by @kunaals in #2196
• feat(rules): Standardize CIS rule IDs with provider prefixes by @kunaals in #2334
• fix(rules): Remove unrestricted_all_ports rule from CIS AWS networking by @kunaals in #2336
• refactor(pagerduty): datamodel migration by @jychp in #1606
• feat(rules): Add Framework object for structured compliance metadata by @jychp in #2335
• refactor(github): Refactor integration tests by @jychp in #2339
• chore(deps): Upgrade Neo4j Python driver to 6.0.0 by @jychp in #2340
• feat(apigateway): Add exposed_internet property based on endpoint type by @jychp in #2341
• feat(ontology): add Image/ImageManifestList labels to GCP and GitLab images by @kunaals in #2337
• feat(cli): migrate from argparse to Typer by @jychp in #2333
• chore(azure): upgrade azure-mgmt-sql to v3.0.1 and migrate to database_security_alert_policies API by @jychp in #2344
• feat(ontology): add CodeRepository semantic label for source code repositories by @jychp in #2350
• feat(ontology): add ObjectStorage semantic label for cross-cloud bucket querying by @jychp in #2348
• feat(ontology): add missing UserAccount mappings for GitLab and OCI by @jychp in #2347
• feat(ontology): add Secret semantic label for cross-platform secret queries by @jychp in #2349
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2353
• fix: Azure SDK import and add version constraint by @achantavy in #2360
• chore: bump the minor-and-patch group with 12 updates by @dependabot[bot] in #2354
• chore: bump packaging from 25.0 to 26.0 by @dependabot[bot] in #2357
• chore: bump sphinxcontrib-mermaid from 1.2.3 to 2.0.0 by @dependabot[bot] in #2355
• chore: bump python from f5d029f to 218027a by @dependabot[bot] in #2352
• fix(ec2): Use execute_read for AWS EC2 image/snapshot reads by @kunaals in #2361
• chore: miscellaneous cleanup and security hardening by @jychp in #2363
• feat: code-to-cloud supply chain traceability (PACKAGED_FROM, PACKAGED_BY, SLSA provenance) by @jychp in #2313
• fix(cli): add version flags, restore -h, and speed up --help by @jychp in #2367
• feat(gitlab): Adding Coverage for Gitlab Image Layers by @shyammukund in #2351

New Contributors

• @EmFl made their first contribution in #2295

Full Changelog: 0.127.0...0.128.0

0.127.0

What's Changed

• chore: update PR template by @jychp in #2279
• fix(gcp): Fix for Location Name prefix mismatch by @shyammukund in #2282
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2288
• chore: migrate OCI and JAMF tests by @jychp in #2287
• feat(gcp): Support GCP Artifact Registry by @shyammukund in #2230
• feat(gitlab): Support GitLab Container Registries by @shyammukund in #2254
• fix(gcp): Handle HttpError per location in CloudRun job and execution sync by @kunaals in #2297
• feat(rules): Add Asset Compliance Metrics to Cartography Rules by @jychp in #2261
• feat(trivy): Add Trivy Support for GitLab Container Registries by @shyammukund in #2263
• feat(ontology): add LoadBalancer + Function and improve existing coverage by @jychp in #2271
• doc: split AGENTS.md into separate procedures by @jychp in #2281
• chore: CI fix and improvment by @jychp in #2283
• chore: create a stale workflow by @jychp in #2276
• doc: add refererence (autodoc from docstring) by @jychp in #1707
• fix(rules): add deduplication key for cloudtrail rules by @jychp in #2303
• fix: ensure all analysis jobs are called by @jychp in #2300
• fix(gcp): Fix GCP Sync and cascade delete by @shyammukund in #2299
• fix(trivy): handle missing Results key for images with no vulnerabilities by @kunaals in #2310
• fix(docs): Fix GitLab docs navigation and terminology by @kunaals in #2308
• feat(gcp): connect GCP IAM Roles to Organizations and Projects by @kunaals in #1469
• feat(k8s): add HAS_IMAGE relationship to GitLabContainerImage by @kunaals in #2307
• feat(trivy): Add Trivy Support for GCP Artifact Registry by @shyammukund in #2267
• feat(aws): add support for aws iam saml providers by @abhinav-1305 in #1901
• feat(AWS): added functionality to check service last accessed by @krishi-agrawal in #1930
• refactor(jamf): migrate to new datamodel by @jychp in #2291
• feat(aws): add support for MFA devices by @ongdisheng in #2278
• chore: enable stale and add cubic config by @jychp in #2314
• feat(ontology): Container Registry Ontology by @shyammukund in #2304
• refactor(oci): migrate OCI to new datamodel by @jychp in #2290
• feat(gitlab): Add GitLab User Coverage by @shyammukund in #2302
• feat(github): Add GitHub Actions support by @kunaals in #2139
• hotfix: fix tests broken by recenet AI slop PR by @jychp in #2317
• feat(core): add conditional label by @jychp in #2316
• feat(ontology): add PublicIP by @jychp in #2285
• feat(aws): EKS Access Entry Mappings by @Tushar240503 in #2239
• fix(aws): fix Kms secret relationship by @Tushar240503 in #2296

New Contributors

• @abhinav-1305 made their first contribution in #1901
• @krishi-agrawal made their first contribution in #1930
• @ongdisheng made their first contribution in #2278

Full Changelog: 0.126.0...0.127.0

0.126.0

What's Changed

• chore: bump python from 7b68a5f to f5d029f by @dependabot[bot] in #2240
• feat(azure): Add initial ingestion for Azure Synapse by @janithashri in #2015
• feat(azure): add support for Key Vaults, Secrets, Keys, and Certificates by @janithashri in #1961
• chore: bump filelock from 3.20.1 to 3.20.3 by @dependabot[bot] in #2244
• feat(azure): Add shared tag support to Network, Security Center, Reso… by @janithashri in #2097
• chore: bump aiohttp from 3.13.2 to 3.13.3 by @dependabot[bot] in #2248
• feat(gcp): Add Cloud Functions ingestion by @janithashri in #1786
• chore: bump werkzeug from 3.1.4 to 3.1.5 by @dependabot[bot] in #2246
• feat(azure): Add shared tag support to AKS, App Service, and Compute by @janithashri in #2061
• chore: bump urllib3 from 2.3.0 to 2.6.3 by @dependabot[bot] in #2243
• chore: bump marshmallow from 4.1.1 to 4.1.2 by @dependabot[bot] in #2249
• chore: bump azure-core from 1.37.0 to 1.38.0 by @dependabot[bot] in #2247
• chore: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #2242
• chore: bump virtualenv from 20.35.4 to 20.36.1 by @dependabot[bot] in #2245
• feat(azure): add support for event hub by @janithashri in #1969
• feat(gcp): add kms support by @janithashri in #2019
• refactor: SentinelOne CVE models by @serge-wq in #2222
• feat(gcp): Support for GCP Secrets Manager by @shyammukund in #2235
• feat(googleworkspace): make device sync optional based on OAuth scopes by @kunaals in #2214
• tests(gcp): migrate test to new logic by @jychp in #2255
• docs: fix markdown formatting issues in schema docs by @kunaals in #2258
• chore: Migrate integration tests to follow best practices by @jychp in #2260
• refactor(gcp): refactor compute in GCP by @jychp in #2257
• doc: improve doc quality by @jychp in #2270
• refactor(aws): migrate remaining AWS modules by @jychp in #2262
• feat(gcp): Support for GCP CloudRun by @shyammukund in #2209

Full Changelog: 0.125.0...0.126.0

0.125.0

What's Changed

• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2217
• feat(ontology): add missing doc and ontology labels by @jychp in #2220
• doc: add documentation for --aws-requested-syncs by @jychp in #2216
• fix(rules): fix missing data in rules visual cypher query by @jychp in #2221
• feat(azure): Add shared tag support to Function Apps, Logic Apps, Loa… by @janithashri in #2085
• feat(aws): Add CloudFront distribution support by @kunaals in #2202
• fix(aws): Sync Failure in AWS Bedrock by @shyammukund in #2225
• fix(slack): remove archived channel and reduce log verbosity by @jychp in #2227
• fix(rules): Add neo4j.time.DateTime to Python datetime conversion utility by @kunaals in #2231
• feat(aws): add analysis job for ECS Container internet exposure by @jychp in #2228
• docs(github): improve PAT configuration with fine-grained token guidance by @kunaals in #2232
• feat(aws): add IAM certificate sync support by @Tushar240503 in #2190
• fix(gcp): Add Retry Logic for GCP API Transient HTTP Errors by @jychp in #2234
• feat(core): add BufferError retry handling to Neo4j transactions by @kunaals in #2236
• feat(k8s): link Kubernetes secret by @Tushar240503 in #2224
• Handle malformed Azure Security Center assessment responses by @kunaals in #2185
• feat(aws): Add CloudTrail event selector ingestion by @kunaals in #1920

New Contributors

• @Tushar240503 made their first contribution in #2190

Full Changelog: 0.124.0...0.125.0

0.124.0

What's Changed

• feat: Add support for GitHub protected branches (partial #2069) by @deidaraiorek in #2155
• fix(cloudflare): Fail cloudflare sync when not configured by @kunaals in #2165
• fix(github): Handle pip flags in GitHub requirements parsing by @kunaals in #2150
• feat(rules): Represent STRIDE metadata as tags by @kunaals in #2164
• chore: enforce sub_resource_relationship convention by @jychp in #1566
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2169
• fix(schema): Correct relationship directions and add container status index by @kunaals in #2168
• feat: Add GitLab and Workday intel modules by @sachafaust in #2172
• feat(kube): Add kube service to load balancer relationship by @kunaals in #2113
• Fix Neo4j error in Semgrep SCA findings with unknown vulnerability id… by @heryxpc in #2187
• chore: bump docker/setup-docker-action from 4.6.0 to 4.7.0 in the minor-and-patch group by @dependabot[bot] in #2194
• chore: bump python from fb1feae to 7b68a5f by @dependabot[bot] in #2193
• feat:(AWS): Coverage for AWS Sagemaker by @shyammukund in #2142
• feat:(GCP): Coverage for GCP VertexAI by @shyammukund in #2133
• feat(rules): Add CIS AWS Foundations Benchmark compliance rules by @kunaals in #2157
• feat(graph): Add cascade_delete option to cleanup builder by @kunaals in #2181
• fix(rules): Add AWS to CIS rule names for clarity by @kunaals in #2199
• feat(gitlab): GitLab orgs, groups, dependencies by @kunaals in #2182
• feat(aws): Coverage for AWS bedrock by @shyammukund in #2151
• feat(ontology): add tenant label into ontology by @jychp in #2179
• feat(gcp): Support for GCP Cloud SQL by @shyammukund in #2200
• feat(aws): Support ELBv2 EXPOSE for all target types (instance, ip, lambda, alb) by @kunaals in #2166
• fix(aws): Fix ECS service-to-task relationship cross-account connection bug by @kunaals in #2201
• chore: add .python-version file to pin Python 3.10 for development by @kunaals in #2206
• fix: AWS and GCP Schema Sidebar by @shyammukund in #2203
• doc: typos in documentation by @oglok in #2186
• feat(aws): Add VPC endpoint support by @sachafaust in #2183
• tests(gcp): fix inconsistent identifiers by @sdudhani in #2176

New Contributors

• @deidaraiorek made their first contribution in #2155
• @oglok made their first contribution in #2186
• @sdudhani made their first contribution in #2176

Full Changelog: 0.123.0...0.124.0

0.123.1rc1

What's Changed

• feat: Add support for GitHub protected branches (partial #2069) by @deidaraiorek in #2155
• fix(cloudflare): Fail cloudflare sync when not configured by @kunaals in #2165
• fix(github): Handle pip flags in GitHub requirements parsing by @kunaals in #2150
• feat(rules): Represent STRIDE metadata as tags by @kunaals in #2164
• chore: enforce sub_resource_relationship convention by @jychp in #1566
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2169
• fix(schema): Correct relationship directions and add container status index by @kunaals in #2168
• feat: Add GitLab and Workday intel modules by @sachafaust in #2172
• feat(kube): Add kube service to load balancer relationship by @kunaals in #2113
• Fix Neo4j error in Semgrep SCA findings with unknown vulnerability id… by @heryxpc in #2187

New Contributors

• @deidaraiorek made their first contribution in #2155

Full Changelog: 0.123.0...0.123.1rc1

0.123.0

What's Changed

• feat: add Slack intel module by @jychp in #2044
• feat(ontology): add ThirdPartyApp ontology node by @jychp in #2108
• fix(gcp): Add rate limiting and retry logic to CAI API calls by @kunaals in #2116
• chore: bump black from 25.11.0 to 25.12.0 in the minor-and-patch group by @dependabot[bot] in #2119
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2118
• feate(kubernetes): Link Kubernetes containers to ECR images by @kunaals in #2104
• fix(azure): Fail Azure sync when service principal auth is malformed by @kunaals in #2117
• fix(gcp): Remove quota project requirement for CAI features by @kunaals in #2129
• feat(sentinelone): Add CVE ingestion to SentinelOne intelmodule by @serge-wq in #1750
• fix(gcp): Gracefully handle all 403 errors in CAI fallback by @kunaals in #2131
• fix(gcp): Handle absolute paths in permission_relationships file parsing by @kunaals in #2134
• fix(aws): ECR Sync Crash for Single-Platform Images by @chuck-duplocloud in #2130
• fix(aws): Retry on ResponseParserError in IAM sync by @kunaals in #2132
• feat(aws): Attach EC2 instances to EKS clusters by @kunaals in #2135
• fix(core): Handle EquivalentSchemaRuleAlreadyExists in parallel sync by @kunaals in #2138
• refactor(azure): Azure datamodel migration by @jychp in #1555
• fix(aws): identity center data quality issues and doc gaps #2127, #2120: by @achantavy in #2136
• fix(tests): properly mock out sleeps by @achantavy in #2141
• feat(ontology): add databases ontology label by @jychp in #2143
• chore: bump python from c299e10 to fb1feae by @dependabot[bot] in #2145
• chore: bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in #2147
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2146
• docs(azure): add RBAC schema documentation by @kunaals in #2149
• feat(azure): Add Azure network interface and public IP ingestion by @kunaals in #2144
• fix(ci): Check uv lockfile up to date with pyproject.toml by @kunaals in #2100
• fix(docs): Fix tailscale/schema.md links by @WhatIsACore in #2156
• fix: add OpenAI module to rules by @jychp in #2160

New Contributors

• @chuck-duplocloud made their first contribution in #2130
• @WhatIsACore made their first contribution in #2156

Full Changelog: 0.122.0...0.123.0

0.123.0rc1

What's Changed

• feat: add Slack intel module by @jychp in #2044
• feat(ontology): add ThirdPartyApp ontology node by @jychp in #2108
• fix(gcp): Add rate limiting and retry logic to CAI API calls by @kunaals in #2116
• chore: bump black from 25.11.0 to 25.12.0 in the minor-and-patch group by @dependabot[bot] in #2119
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2118
• feate(kubernetes): Link Kubernetes containers to ECR images by @kunaals in #2104
• fix(azure): Fail Azure sync when service principal auth is malformed by @kunaals in #2117
• fix(gcp): Remove quota project requirement for CAI features by @kunaals in #2129
• feat(sentinelone): Add CVE ingestion to SentinelOne intelmodule by @serge-wq in #1750
• fix(gcp): Gracefully handle all 403 errors in CAI fallback by @kunaals in #2131
• fix(gcp): Handle absolute paths in permission_relationships file parsing by @kunaals in #2134
• fix(aws): ECR Sync Crash for Single-Platform Images by @chuck-duplocloud in #2130
• fix(aws): Retry on ResponseParserError in IAM sync by @kunaals in #2132

New Contributors

• @chuck-duplocloud made their first contribution in #2130

Full Changelog: 0.122.0...0.123.0rc1

0.122.0

What's Changed

• refactor: PagerDuty tests by @jychp in #2077
• fix(azure): #2078 factory_id bug by @achantavy in #2079
• fix: Reduce ECR layer batch size to avoid Neo4j OOM by @kunaals in #2080
• chore: bump python from 975a1e2 to c299e10 by @dependabot[bot] in #2089
• feat: ontology for inactive users + fix github mapping + inactive rule by @jychp in #2076
• feat(ontology): add APIKey by @achantavy in #2091
• rules: shai hulud attack rule by @jychp in #2090
• feat(vuln mgmt): Extra indexes on fields for vulnerability management by @kunaals in #2083
• fix: make shai-hulud query only return vulnerable pkgs by @achantavy in #2093
• chore: bump the minor-and-patch group with 2 updates by @dependabot[bot] in #2087
• chore: bump actions/checkout from 5.0.1 to 6.0.0 by @dependabot[bot] in #2088
• feat(kubernetes): KubernetesContainer memory and CPU by @kunaals in #2095
• feat(ontology): add ComputeInstance and Container by @jychp in #2066
• fix(rules): add missing modules to rules.Module by @jychp in #2098
• chore: bump the minor-and-patch group with 4 updates by @dependabot[bot] in #2102
• feat: GCP policy_bindings and Permissions Relationship Evaluation Sync by @Daksh1603 in #2062
• feat: add google oauth tokens by @jychp in #2094
• feat (GCP): Use CAI api as fallback when IAM is disabled by @shyammukund in #2096
• fix(gcp): Pass creds GCP by @kunaals in #2106
• fix(aws): Add region field to AWS Identity Center and AWS Permission Set Nodes by @shyammukund in #2111
• feat(gcp): Fetch predefined IAM roles from quota project for CAI fallback by @kunaals in #2115
• fix (AWS): Set RoleHint to include region for PermissionSets/AWS Roles not in us-east-1 by @shyammukund in #2114

Full Changelog: 0.121.0...0.122.0

0.121.0

What's Changed

• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2054
• chore: bump python from e0c4fae to 975a1e2 by @dependabot[bot] in #2053
• chore: bump black from 25.9.0 to 25.11.0 in the minor-and-patch group by @dependabot[bot] in #2055
• feat: Azure RBAC and Permissions Relationship Evaluation Sync by @Daksh1603 in #1950
• feat(gcp): Add initial ingestion for GCP Bigtable by @janithashri in #2040
• feat(spacelift): Add relationship between Github User and Spacelift Git Commit by @shyammukund in #2052
• fix(tx): Retry certain ClientErrors by @kunaals in #2028
• fix: scaleway integ tests and uv.lock regression by @achantavy in #2058
• feat(azure): add support for virtual networks, subnets, and nsgs by @janithashri in #1985
• feat(azure): add support for Event Grid Topics by @janithashri in #1947
• feat(azure): Add Azure Tags for storage accounts by @janithashri in #2050
• feat(azure): add support for AKS clusters and node pools by @janithashri in #1951
• feat(azure): add support for Data Factory by @janithashri in #1970
• feat(azure): add support for Load Balancers and internal components by @janithashri in #1987
• feat: ontology improvement (fields for semantic labels) by @jychp in #2059
• fix: GSuite sync and config helper script bug fix by @Daksh1603 in #2063
• chore: bump the minor-and-patch group with 3 updates by @dependabot[bot] in #2060
• (feat) Add GitHub organization emails to Users by @byarr in #1923
• feat(googleworkspace): rename gsuite module and add additional data sources by @jychp in #2037
• refactor: Refactor Azure SQL and Storage integration tests to use `sync()… by @jychp in #2067
• refactor: rules engine by @jychp in #2049
• refactor: Refactor Okta integration tests by @jychp in #2070
• feat: improve github on ontology by @jychp in #2072
• feat(aws): add GuardDuty detectors by @achantavy in #2073
• rules: find regions where aws guarduty is disabled by @jychp in #2074

Full Changelog: 0.120.0...0.121.0