This release focuses on safer outbound network behavior during scans, plus a clearer and more cautious upgrade flow. It also includes a few reliability fixes that help avoid missed findings and confusing output.
Security and safety
Outbound requests made during scanning now refuse to connect to private, loopback, link-local, or metadata-range IP addresses, including when following redirects. This helps reduce the risk of accidentally reaching sensitive internal endpoints.
When checking redirects, the scanner now applies the same safety guard while following redirect hops. This keeps URL-based checks safer even when a public URL redirects somewhere unexpected.
TLS checks now require a minimum of TLS 1.2. This aligns the check with modern security expectations.
Quality of life and reliability
The upgrade prompt is now more explicit and cautious. Preflight shows the exact upgrade command first, defaults to No, and avoids auto-running network-fetched shell pipelines.
Secret scanning is less likely to miss results in minified bundles. Very long single-line files can now be scanned without being silently skipped.
Output is cleaner when piping results to a file or another tool. Color formatting is automatically disabled when the output is not a terminal.