chore(main): release 0.2.28

[github-actions]

🤖 I have created a release beep boop

0.2.28 (2026-03-18)

Features

• add rule codes to all security checks (#255) (330e7df)

Bug Fixes

• add torch and numpy helper primitive coverage (#706) (b0a6a11)
• block dill recursive loader globals (#695) (0d88a4b)
• block legacy httplib pickle aliases (#703) (24b789a)
• bound advanced pickle global extraction (#700) (d9fe283)
• bound skops zip entry reads and enforce uncompressed size limit (#702) (a91577d)
• bound XZ decompression memory in r_serialized scanner (26d5b44)
• bound zlib wrapper decompression output (#681) (8bb9cc2)
• ci: reorder provenance job steps to prevent SBOM generation failure (#646) (d4ab381)
• detect pickle proto structural tampering (#697) (0a8a737)
• detect risky import-only pickle ML surfaces (#696) (a272307)
• expand dangerous pickle primitive coverage (#705) (40e45ac)
• fail closed on malformed STACK_GLOBAL operands (#704) (9a1b9a1)
• handle Windows backslashes in XGBoost subprocess loader (#656) (ba30b81)
• harden archive path sanitization (#666) (9d77d50)
• harden cloud download async/cache safety and cleanup (#655) (e14ea61)
• harden import-only pickle global detection (#691) (d27d90d)
• harden keras custom object detection (#694) (7651298)
• harden rule config parsing and debug path privacy (#648) (a073187)
• harden shared config writes and archive path sanitization (#660) (60de400)
• harden xgboost subprocess import isolation (#701) (2df2d78)
• include streamed artifacts in SBOM output for --stream scans (#672) (48d8d54)
• keras attack-vector fixes for coverage gaps in h5 and keras zip scanning (#689) (863c884)
• mark flaky timing test as performance to skip in CI (#670) (9c47f7e)
• preserve duplicate paths with spaces (#690) (ea7c6d9)
• preserve Hugging Face artifacts in SBOM output (#673) (49c7eca)
• preserve rule codes through scan aggregation (#650) (d71a219)
• prevent jfrog folder download path traversal (#679) (6f226a4)
• prevent unbounded tensor proto allocations in TF weight extraction (#685) (ae2b01c)
• reduce Keras ZIP custom-object false positives (#716) (165b238)
• refresh telemetry client state (#658) (7b6ea2f)
• reject absolute OCI layer references (#659) (722131a)
• remove pickle hasattr allowlist entries (#692) (4d64cc8)
• resolve bare torchserve handler modules (#664) (3ae3535)
• restore raw telemetry fields and harden model_name extraction (#649) (275f087)
• restrict trusted jfrog hosts for auth (#661) (d959a0d)
• route compound tar wrappers to tar scanner (#707) (79c0772)
• route oci layer members via extracted paths (#663) (1395af0)
• scan TensorFlow SavedModel function definitions for dangerous ops (#677) (31f4715)
• security: detect nested kwargs URLs in CVE-2025-8747 check (#682) (9431fae)
• security: restore ZIP fallback scanning for invalid .mar archives (#711) (55de730)
• security: use conservative PyTorch version selection for CVE checks (#684) (ef5c5e6)
• stop importing dotenv in jfrog helper (#662) (d20fda3)
• stream tar member extraction during scan (#665) (3de3048)
• tighten dill MemoryError downgrade gating (5eefa15)
• tighten llamafile runtime allowlist matching (#683) (8592a80)
• use major GitHub Action refs (#680) (7965314)

---

This PR was generated with Release Please. See documentation.