Safeguard.sh
Product

Safeguard Q3 2025 Release Recap

A quarterly recap of everything Safeguard.sh shipped in Q3 2025 across Griffin, Eagle, Lino, and Gold — with the improvements, deprecations, and next steps.

Shadab Khan
Security Engineer
8 min read

Q3 2025 was the quarter Safeguard stopped being a collection of scanners and started behaving like a platform. We shipped three major capability expansions, merged two engines that had drifted apart, and put a desktop surface on top of everything so teams could stop living inside CI logs. This post walks through the full set of changes: what shipped, what we improved, what we are deprecating, and what is queued for the next cycle.

What shipped in Q3 2025?

The short answer: a lot. The longer answer is that most of Q3's releases were focused on closing the loop between detection and remediation, and on letting developers stay inside the tools they already use.

Shipped

  • Griffin 2.1 — reachability analysis is now default-on for Node.js, Python, and Go. A finding no longer lands in your queue unless the vulnerable symbol is actually reachable from a live entry point. The old "severity everywhere" mode is still available under a feature flag for teams with compliance reporting tied to it.
  • Eagle container profiles — Eagle now ships with opinionated profiles for distroless, Alpine, and Chainguard bases. Each profile adjusts the scoring model so a libcurl CVE in a base image with no shell looks different from the same CVE in an image with curl on PATH.
  • Lino runtime hooks for Kubernetes — Lino can now attach to pods via an admission controller and collect egress fingerprints during the first 15 minutes of a pod's lifetime. That window is what feeds our behavioral reachability model.
  • Gold self-healing for pinned dependencies — Gold watches your lockfiles for CVE disclosures that intersect the pinned graph and opens remediation PRs that preserve your pin discipline. Each PR includes the reachability verdict from Griffin and the runtime verdict from Lino.
  • MCP server (public beta) — the Safeguard MCP server lets IDE agents and orchestrators call Griffin, Eagle, and Lino directly. It exposes scan.repo, scan.image, scan.runtime, reachability.trace, and remediation.plan as first-class tools.
  • Desktop app (macOS and Windows) — the new desktop shell wraps our CLI, shows live results, and ships with a built-in tunnel to the runner for air-gapped environments. It replaces the old sg TUI for interactive work.

Improved

  • Workflows — the workflow engine now supports conditional re-scan triggers. A workflow can be configured to re-run Eagle only if a base image digest changes, instead of on every tag push. For large monorepos this cut scan spend roughly in half in our own usage.
  • Runner performance — the self-hosted runner is about 40 percent faster on cold start thanks to a new artifact cache layout and lazy loading of detector bundles.
  • 100-level scan — the entry-tier scan (what we call the 100-level scan) now includes manifest hygiene checks in addition to the core SCA pass. You no longer need to opt into a separate job to catch a missing integrity field or a committed .npmrc with a token.
  • IDE extensions — the VS Code and JetBrains extensions both picked up inline remediation actions. If Griffin flags a vulnerable transitive, you can accept the proposed pin or bump directly from the gutter.

Deprecated

  • The sg legacy-sarif exporter is deprecated. The default exporter now emits SARIF 2.1.0 with reachability fields in the properties bag. The legacy exporter will be removed in Q1 2026.
  • The old per-repo API token flow is deprecated in favor of installation-scoped tokens. Per-repo tokens will keep working through Q4 2025.

How does reachability change what Griffin finds?

Reachability is the headline change, so it deserves a direct answer. In Q3 2025, Griffin stopped treating a vulnerable package as equivalent to a vulnerable application. The engine now builds a call graph from your entry points, walks it through your direct and transitive dependencies, and only flags a CVE if the vulnerable symbol is reachable along some path.

In practice this turns most dependency graphs from a wall of severities into a shortlist of things that can actually hurt you. Internally, when we ran Griffin 2.1 against our own monorepo, we saw the active queue drop from 412 findings to 37 — and of those 37, 12 were previously buried under noise and would have been missed.

Two things to know if you're adopting the new default:

  1. Reachability is computed per entry point. If you have multiple services in one repo, Griffin will show you which services a finding is reachable from.
  2. Reachability is a claim, not a guarantee. A dynamic require or a reflection-heavy codebase can still hide reachability. Griffin marks those edges as "inferred" and surfaces them differently in the UI.

What does the MCP server let agents actually do?

The MCP server exposes Safeguard's capabilities as tools that any MCP-compatible client can call. In Q3 this is most useful inside IDE agents — Claude Code, Cursor, and the JetBrains AI assistants all picked it up during the beta.

A typical agent session looks like this:

  • The agent calls scan.repo with the current working tree.
  • It receives a structured list of findings, each with a reachability verdict and a pre-computed remediation plan.
  • It calls remediation.plan for the findings it wants to address, which returns a patch that Gold would have opened as a PR.
  • The agent applies the patch locally, runs tests, and commits.

The MCP server is still in public beta through Q3. Rate limits are generous but present; production automations should use the workflow engine and not the MCP server directly until we graduate it.

What changed in Lino and Eagle this quarter?

Lino picked up Kubernetes runtime hooks and a new behavioral model for short-lived pods. The practical effect is that Lino can now tell the difference between "this container made one DNS call at startup" and "this container is beaconing every 30 seconds." The first is almost always fine; the second is almost always worth paging on. Lino's runtime signal also feeds back into Griffin's reachability model — if a symbol is statically reachable but never executed across a representative runtime sample, Griffin downgrades its priority.

Eagle shipped container profiles and a faster layer diff. The layer diff is the less flashy change but the one most teams will feel day-to-day: Eagle now caches layer analyses by digest and only re-scans the layers that actually changed between tags. For teams that rebuild images frequently, this dropped scan times from minutes to seconds.

Why did we ship a desktop app in Q3?

Two reasons. First, a large share of our users were running sg from a terminal and piping output into other tools, which was fine but made the experience feel thinner than it needed to be. Second, air-gapped and regulated environments kept asking for a way to drive the runner without granting the runner outbound access to our control plane. The desktop app solves both: it's a richer surface for everyday scans, and it can act as the tunnel endpoint for a runner that otherwise has no internet access.

The desktop app is not a replacement for CI. It's meant for interactive work — triaging a finding, re-running Griffin against a branch, inspecting a layer in an image. All of the same capabilities remain available via the CLI and workflows.

How Safeguard.sh Helps

The net effect of Q3 2025 is that Safeguard.sh now closes the loop from detection to remediation without asking developers to context-switch. Griffin decides what matters based on what is actually reachable. Eagle scores container findings against the base image's real attack surface. Lino confirms or denies the static picture with runtime evidence. Gold turns the remaining signal into PRs your team can merge. Workflows, the runner, the MCP server, the desktop app, and the IDE extensions are all surfaces over the same underlying engines, so the verdict you see in your editor is the same verdict that blocks a merge in CI. Q3 was the quarter we stopped shipping features in isolation and started shipping a platform.

What's next

Q4 2025 picks up where Q3 left off. The headline items on our roadmap:

  • Griffin reachability for Java and .NET (Q4 2025 beta, Q1 2026 GA).
  • Eagle SBOM attestations signed with in-toto and verifiable end-to-end from base image to deploy.
  • Lino runtime hooks for serverless (Lambda, Cloud Run).
  • Gold policy-aware remediation — PRs that respect your allowlist, deny list, and version constraints.
  • MCP server GA with tenant-scoped auth and per-tool quotas.
  • A redesigned 100-level scan output that reads like a report, not a log.

If you want early access to any of these, ping us at contact@hsxtechnologies.com.

release-noteschangelogproduct
Back to all articles

More on #release-notes

View all →
Product

Safeguard Q1 2026 Release Recap

7 min read
Product

Safeguard March 2026 Release Notes

7 min read
Product

Safeguard February 2026 Release Notes

7 min read
Product

Safeguard January 2026 Release Notes

7 min read

Related articles in Product

Product

Safeguard Q1 2026 Release Recap

A quarterly recap of Q1 2026 at Safeguard.sh: the signed chain from source to runtime, self-healing GA, taint tracking, and the air-gap installer.

March 31, 2026Read
Product

Introducing the Safeguard Marketplace: Extend Your Supply Chain Security

The Safeguard Marketplace brings community-built integrations, policy templates, and compliance packs to the platform.

March 25, 2026Read
Product

Introducing Safeguard TPRM: Evidence-Based Third-Party Risk Management

Safeguard's new TPRM module replaces vendor questionnaires with SBOM-driven, continuous third-party risk assessment.

March 22, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.