We are happy to announce SBOMscanner v0.11.0. This release introduces an MCP server for AI assistants, a new way to target a subset of a registry from a ScanJob, supply chain hardening with zizmor, and several fixes for race conditions in the storage controller watches.
MCP server SBOMscanner now ships an MCP server that puts everything the controller knows in front of your AI assistant of choice. Instead of crafting kubectl queries across CRDs and joining the results in your head, you can ask Claude, Claude Code, GitHub Copilot, or any other MCP client questions like “which workloads in cluster prod are running an image with a critical CVE?
Read more...
This Admission Controller 1.35 release is one that builds the nest properly: load-bearing branches first, then careful weaving. A moderate security vulnerability has been fixed, and rather than a quick twig stuffed in a gap, the team reinforced the whole structure. This release brings also a new policy, an expansion on our threat model, and a JavaScrypt/TypeScrypt SDK relocation.
Security fix: RBAC reconnaissance and host capability calls Kubewarden makes the following security promise:
Read more...
After the big blooms of 1.33, this release turns its attention to the garden fence: making sure our CI pipelines are sturdy, our supply chain is trustworthy, and a nagging bug in kwctl gets pulled out by the roots. Nothing flashy, but the kind of care that keeps the garden healthy for the long haul. Let’s take a look at what’s new!
Fix for kwctl scaffold command When using kwctl command scaffold manifest with a policy URI that omits an explicit tag (e.
Read more...
The Kubewarden ecosystem continues to expand its supply chain security capabilities! Hot on the heels of the Admission Controller 1.33 release, we are excited to announce SBOMscanner v0.10.0. This release introduces powerful new features and critical stability fixes. Let’s dive in!
Workload Scan Until now, SBOMscanner required explicit Registry configurations to scan images. However, what usually matters most are the images actively running in your cluster.
The new Workload Scan feature automatically discovers and scans container images based on live workloads.
Read more...
The garden is thriving and Kubewarden 1.33 is ready to bloom! Following last release’s big repotting, this one is serious about pruning, including a security issue. It’s not all housekeeping though, fresh flowers are blooming and come with nice features: BYO-PKI landing in the policy-server, field mask filtering for context-aware calls, proxy support, and a few more treats. Let’s dig in!
Security fix: Cross-namespace data access, removal of deprecated API calls In our previous post we explained how our architecture protects namespaced policy users from privilege escalations.
Read more...
Why Kubewarden is not affected by CVE-2026-22039 The recent vulnerability CVE-2026-22039 is doing the rounds in the Kubernetes security community, with dramatic titles such as “How an admission controller vulnerability turned Kubernetes namespaces into a security illusion”. You can read about people doubting admission controllers, claiming they have too much power, or they represent too high a value target.
In this blogpost, we reassure Kubewarden users that they aren’t affected thanks to our architecture, and explain why.
Read more...
Another year rolls around, and Kubewarden is still growing like a well-watered houseplant! Kubewarden got a New Year’s resolution to tidy up and repot, and has gone full on with digital gardening. This release is a maintenance one, with big moves to monorepos and a refresh in release artifacts.
New Admission Controller monorepo With the addition of SBOMscanner to the Kubewarden harvest, we saw a great opportunity for cleanup on the Admission Controller side.
Read more...
Join us in celebrating a fruitful 2025 for the Kubewarden project!
The team has spent time planting kernels and enjoying the fruit of the grown ideas. Let’s look together at what the basket brings as we say ciao to 2025. Grab anything you like for the trip!
Expanding the Scope: Introducing SBOMScanner 2025 saw Kubewarden expand beyond admission policies with the introduction of SBOMScanner, a new project donated to CNCF under the Kubewarden umbrella.
Read more...
Preparing for season celebrations, Kubewarden grabbed its running shoes and went for a lively jog. This release is about keeping your cluster environment fit and lively: new policy, new Sigstore airgap features, backup support, and new resource limits for our Helm charts and among other things.
The running group is growing too!
New peer project: SBOMScanner As announced some weeks ago, the Kubewarden family is growing with the addition of SBOMscanner.
Read more...
Writing Kubewarden policies is now even more accessible. Today, we’re excited to announce the alpha release of the Kubewarden JavaScript/TypeScript SDK, bringing policy development to the world’s most popular programming language.
Why JavaScript for Kubernetes Policies? Kubewarden has always been about choice, letting you write policies in the language you’re most comfortable with. The JavaScript/TypeScript SDK opens Kubewarden to an entirely new audience, the millions of developers already familiar with the JavaScript ecosystem.
Read more...
