Note: The v1.3.0 container images are not available due to a release workflow failure (SBOM generation incompatible with multi-arch builds). Use v1.3.1 instead, which includes all v1.3.0 changes plus the workflow fix.
Security Integration
Fixed
- OIDC session resilience for WUD migrations — Corrupt/incompatible session data no longer causes 500 errors. Sessions auto-regenerate. OIDC errors return JSON.
- Disabled X-Powered-By header — Removed from both main and agent API servers.
- Trivy scan queue — Serialized concurrent Trivy invocations to prevent cache conflicts.
- Login error on wrong password — Fixed JSON parse error on 401 responses.
- Snackbar notification colors — Fixed hardcoded color ignoring severity level.
- SBOM format key mismatch — Fixed schema validation for
cyclonedx-json.
Added
- Update Guard (Trivy safe-pull gate) — Pre-update vulnerability scanning with configurable blocking severities.
- Update Guard signature verification (cosign) — Optional image signature verification before updates.
- Update Guard SBOM generation — Trivy SBOM generation (
spdx-json,cyclonedx-json) with API endpoint. - Container card security status chip — Vulnerability scan status on container cards.
- On-demand security scan —
POST /api/containers/:id/scanwith real-time SSE events. - Direct container update from UI —
POST /api/containers/:id/updateendpoint, no trigger config required. - Trivy and cosign in official image — Both binaries included, no custom image needed.
- Snyk vulnerability monitoring — Continuous dependency scanning with badge.
Changed
- Grafana dashboard overhaul, mobile responsive dashboard, test coverage improvements, Prometheus counter deduplication, API error handler deduplication, lint fixes.
Security
- CodeQL alert fixes — Log injection sanitization, rate limiting on scan endpoint.
- Build provenance and SBOM attestations — Supply chain attestations in release workflow.
Full Changelog: v1.2.0...v1.3.0