v0.10.0 — First public release

The first public release of TrustedOSS Portal — a self-hosted, Apache-2.0 SCA portal that unifies vulnerability tracking, license compliance, SBOM generation, and CI/CD integration in one UI.

The full machine-readable changelog lives in CHANGELOG.md. This page is the human-readable summary.

Highlights

Scanning

Source scans — cdxgen produces a CycloneDX SBOM across 30+ language ecosystems; Trivy matches components against its unified DB (NVD + OSV + GitHub Advisory + EPSS + KEV).
Container scans — Trivy scans OS packages of a container image you name.
Automatic CVE re-detection — a weekly Trivy DB refresh + a Celery beat re-match every project's most-recent SBOM, so new CVEs land without a manual re-scan.
Air-gapped support — TRIVY_DB_REPOSITORY swaps the upstream OCI registry for an internal mirror.

Compliance

License classification — allowed / conditional / forbidden tiers, scored against a fixed classification catalog.
Obligations + auto NOTICE — text, markdown, and HTML output.
Component approval workflow — Pending → Under Review → Approved / Rejected.
VEX — export and consumption (OpenVEX + CycloneDX VEX), 7-state triage.
SBOM export — CycloneDX (JSON / XML) and SPDX (JSON / Tag-Value), byte-stable.

CI/CD

GitHub Actions composite action + GitLab CI template + a worked Jenkinsfile example.
Build gate — Critical CVE or forbidden license fails the build (exit 1).
Webhooks — GitHub & GitLab push / PR events auto-trigger scans with inline PR / MR comments.
EPSS prioritization — column, sort, filter, and a policy-gate threshold (GATE_EPSS_THRESHOLD).

Operations

Multi-tenant teams + RBAC — super_admin / team_admin / developer.
Append-only audit log — every write recorded with diff + actor, with SQL-level immutability via a plpgsql trigger.
Notifications — Email (SMTP), Slack, Microsoft Teams webhooks.
Admin UI — user / team management, Trivy DB monitoring + refresh, scan queue, disk dashboard, audit-log search and CSV export.
Backups — daily Celery-beat auto-backup with 7-day retention plus manual backup / restore from the Admin UI.
Read-only demo mode — DEMO_READ_ONLY=true for public demos.

Experience

EN + KO i18n from day one — every UI string and every documentation page is bilingual.
Modern enterprise design system — light theme, WCAG AA, compact 40 px tables, drawer + page navigation dual surfaces.
Portfolio Dashboard on / — KPI cards, severity and license distribution, recent scans.
⌘K command palette — keyboard-first navigation across projects, vulns, components, and admin areas.
URL-persistent filters — every facet (severity, license category, search, status, page) lives in the URL so reload / share / back-button restores the view.

Distribution

Docker Compose — dev and prod overlays; the prod overlay includes Traefik with Let's Encrypt.
Helm chart (charts/trustedoss) — bundled-or-external PostgreSQL and Redis, Ingress with cert-manager TLS, schema-migration Job.
OpenAPI reference — rendered at /reference/api on this docs site.
Schema-gated readiness probe — /health/ready returns 503 until the Alembic schema is at HEAD.

What is not in this release

The comparison page lists every documented gap. Two that matter most for adoption decisions:

Automated remediation pull requests. The portal surfaces per-finding fixed_version and dependency-graph depth, but does not yet open upgrade PRs. Suggested upgrades and PR opening land in a future release.
Reachability analysis. Findings are listed in full rather than ranked by whether vulnerable code is reachable — planned, best-effort.

See the roadmap for the full forward plan.

Install

Quickstart (5 min) — local evaluation with the dev compose stack.
Install with Docker Compose — production install on a Linux host.
Install on Kubernetes with Helm — production install via the Helm chart.

Highlights​

Scanning​

Compliance​

CI/CD​

Operations​

Experience​

Distribution​

What is not in this release​

Install​

See also​