Kubescape
v4.0.4Securityv4.0.4 is a dependency maintenance release with security-relevant library bumps across gRPC, go-git, cloudflare/circl, go-jose, and hashicorp/go-getter, plus minor CLI bug fixes.
securityUpgrade immediately due to security-sensitive dependency updates
Several updated libraries — hashicorp/go-getter, cloudflare/circl, go-jose, and go-git — have histories of CVEs covering path traversal, cryptographic weaknesses, and JWT attacks. While Kubescape's release notes don't call out specific CVEs, the jump from go-getter 1.7.9 to 1.8.6 and go-git 5.16.5 to 5.17.1 are both large version gaps. If you run Kubescape in CI pipelines or as part of automated scanning, update to v4.0.4 now rather than waiting for a scheduled maintenance window.
enhancementHelm 3.20.2 and gRPC 1.79.3 bring compatibility improvements
The Helm SDK bump to 3.20.2 means Kubescape's chart scanning logic stays aligned with current Helm releases. If your clusters use recent Helm chart features, earlier Kubescape versions may have produced incomplete or inaccurate scan results. Rerun chart-level scans after upgrading to confirm coverage.
enhancementFix for duplicate flags in `scan image` — check any wrapper scripts
If you have shell scripts or CI configs that pass flags explicitly to `kubescape scan image`, the duplicate-flag bug could have caused unexpected behavior or silent flag ignoring. After upgrading, verify your pipeline invocations still produce expected output.
主な変更 (5)
- hashicorp/go-getter bumped from 1.7.9 to 1.8.6 — this library has a history of security CVEs around path traversal and SSRF
- cloudflare/circl updated from 1.6.1 to 1.6.3, addressing cryptographic library fixes
- go-jose/go-jose updated to 4.1.4, patching JWT/JWE handling issues
- go-git bumped to 5.17.1 — prior versions had known git protocol vulnerabilities
- Duplicate CLI flags removed from `scan image` subcommand, and error handling improved