AppSec Santa Weekly is a weekly newsletter that tracks new AppSec tools and the latest releases from 196+ existing ones. Each issue covers what shipped, what changed, and why it matters.
This is the first issue โ every week I dig through GitHub releases, vendor blogs, and changelogs so you don’t have to.
The big story this week: OpenAI announced it’s acquiring Promptfoo , the fastest-growing open-source LLM security tool. More on that below.
This Week at a Glance
29 releases across 6 active categories this week.
- SCA (9) โ Renovate 5 releases, Grype CVE detection fix, Dependency-Track 4.14
- IaC Security (3) โ Mondoo v13 + $17.5M raise, OPA Gatekeeper v3.22 (breaking default)
- AI Security (3) โ OpenAI acquires Promptfoo; 3 releases in 7 days before the deal
- SAST (3) โ Semgrep v1.155, OpenGrep v1.16.4, TruffleHog LDAP fix
- ASPM (3) โ DefectDojo 2.56.1, Harbor dual-track releases
- Mobile (2) โ Frida 17.8, Ostorlab v1.14
Quiet this week: DAST (Nuclei hit 23K stars though), IAST, RASP, API Security
New on the Radar
Three things stood out this week:
OpenAI acquires Promptfoo โ The biggest AI security deal so far. Promptfoo (13.2K stars, $18.4M Series A) shipped 3 releases in the 7 days before the announcement.
The team will join OpenAI. If you’re using Promptfoo for LLM red-teaming, keep an eye on what happens to the open-source project post-acquisition.
Mondoo raises $17.5M โ Fresh funding (details ) and a major v13 release in the same week. Mondoo reported 7x revenue growth over the past year โ the funding will go toward U.S. and EMEA expansion.
OpenGrep continues to build momentum as an independent fork of Semgrep’s open-source engine. Both OpenGrep (v1.16.4) and Semgrep (v1.155) shipped this week on roughly weekly cadences. If you’ve been watching this space, the two codebases are diverging enough that teams using community rules should test compatibility with both.
Notable Updates
- Mondoo v13 โ Overhauls Terraform deprecation checks (changelog ); test in staging before upgrading
- OPA Gatekeeper v3.22 โ VAP enforcement scope now enabled by default; may change production behavior
- Promptfoo 0.120โ0.121 โ Three releases in 7 days, then OpenAI acquisition announced
- Grype v0.109.1 โ Fixed a missed CVE detection for a known-bad JAR (release notes ); upgrade if you scan Java
- Dependency-Track 4.14 โ Most significant SCA platform release in months
- Renovate 43.65 โ Five releases this week, Bazel lock file support landed
- Frida 17.8 โ New release for the go-to mobile instrumentation toolkit
IaC Security
Both Mondoo and OPA Gatekeeper shipped major versions this week โ the busiest week for IaC security in a while.
Mondoo v13 adds typed requiredProviders support for Terraform, better PAN-OS filtering, and tighter policy scoping. This release comes alongside a $17.5M funding round
led by HV Capital โ Mondoo reported 7x revenue growth over the past year.
If you’re using Mondoo for Terraform checks, the deprecation handling overhaul means you should test in staging before upgrading.
Gatekeeper v3.22 flips sync-vap-enforcement-scope to on-by-default โ a small config change with real production impact for anyone running ValidatingAdmissionPolicy.
My take: Gatekeeper flipping this default is the kind of change that catches production teams off guard. If you’re running VAP in a cluster and haven’t pinned your Gatekeeper version, this upgrade could silently change which namespaces your policies enforce on. Test in staging before upgrading โ or at minimum, read the v3.22 migration notes .
Checkov 3.2.508 patched a race condition in the secrets scanner โ race conditions in security scanners cause missed findings, so this is worth upgrading for.
SCA
Nine releases across the SCA category โ by far the busiest this week.
Renovate shipped five releases in seven days, including Bazel module lock file support that closes a gap for monorepo-heavy shops.
The bigger story is Grype v0.109.1: a fix for a bug where a known CVE wasn’t being detected even when the vulnerable JAR was present.
A scanner that misses known CVEs is worse than no scanner โ it creates false confidence. If you’re running Grype against Java projects in CI, upgrade immediately.
My take: Anchore disclosed this Grype bug transparently and shipped a fix fast, which is the right thing to do. But it raises a harder question: how many other scanners have similar blind spots that nobody’s caught yet? The SCA space badly needs independent detection benchmarks โ something like AppSec Santa’s CandyShop benchmark but focused on CVE coverage gaps rather than overall detection rates.
FOSSA added Solace proprietary license detection and fixed Conda analysis for newer conda versions. The Conda fix matters if you have ML/data science repos โ broken package analysis means missed license violations.
Dependency-Track 4.14 is the most significant release from this open-source SBOM platform in months.
SAST
Semgrep v1.155 and OpenGrep v1.16.4 both shipped this week on weekly cadences.
TruffleHog v3.93.8 made LDAP verification context-aware, cutting false positives in secret detection. Every false positive that gets ignored makes the next real finding more likely to be ignored too โ so this kind of improvement has a compounding effect on usability.
AI Security
The headline: OpenAI is acquiring Promptfoo . The deal was announced March 9 โ terms weren’t disclosed, but the Promptfoo team (founded by Ian Webster and Michael D’Angelo) will join OpenAI.
Promptfoo had raised an $18.4M Series A in July 2025 led by Insight Partners with a16z participation. At 13.2K stars, it was the fastest-growing tool in AI security โ and it shipped 3 releases in the 7 days leading up to the acquisition announcement.
My take: The open question is what happens to Promptfoo’s open-source project. OpenAI says the team is joining โ but will the OSS repo stay actively maintained, get folded into OpenAI’s internal tooling, or slowly go dormant? If you’re running Promptfoo in your eval pipeline, this is worth watching closely. No need to panic-migrate, but I’d hold off on deep integrations until OpenAI clarifies the roadmap.
Mobile Security
Frida 17.8 shipped with continued improvements to the dynamic instrumentation toolkit. Frida’s position in mobile security is unique โ it’s simultaneously a pen-testing tool, a reverse engineering framework, and an instrumentation layer, with no real competitor in that combined space.
Ostorlab v1.14 added agent group naming, pointing toward multi-app enterprise mobile scanning workflows.
ASPM
DefectDojo 2.56.1 is a maintenance release, but DefectDojo remains the go-to open-source vulnerability management platform โ worth tracking if you’re comparing it against commercial ASPM tools .
Harbor shipped dual-track releases (v2.13.5 & v2.14.3). Maintaining two active release tracks signals mature adoption โ most tools in this space don’t need to support multiple major versions simultaneously yet.
Quiet This Week
No releases from IAST , RASP , or API security this week.
Deals & Funding
- OpenAI acquires Promptfoo โ The biggest AI security deal yet. Promptfoo’s LLM red-teaming and eval platform (13.2K stars, $18.4M raised) joins OpenAI. Terms undisclosed.
- Mondoo raises $17.5M โ Led by HV Capital with Atomico and Firstminute Capital. Total raised now $32.5M. Mondoo reported 7x revenue growth and 4.4x customer expansion over the past year.
Star Watch
GitHub star movements worth noting:
- Harbor ~24K โ One of the most-starred CNCF security projects
- Nuclei 23K โ Growing without a release this week; the community template ecosystem is the real driver
- Renovate 21K โ Most-starred dedicated dependency update tool on GitHub
- Promptfoo 13.2K โ Now OpenAI-owned; star velocity was highest in AI security before the deal
Quick Hits
- Checkov 3.2.508 patched a race condition in the secrets scanner
- SCANOSS v1.49 fixed multi-line import block handling for license compliance
- FOSSA v3.16.2 fixed Conda analysis for newer conda versions
On AppSec Santa This Week
Updated this week:
- Promptfoo Updated with OpenAI acquisition details, $18.4M Series A funding history, and status changed to acquired.
- Mondoo Added $17.5M funding round and v13 release info.
- Grype
Added the v0.109.1 CVE detection fix for JAR scanning.
- Renovate Added Bazel lock file support from the v43.65 release cycle.
- OpenGrep Updated version to 1.16.4.
- OPA Gatekeeper Updated to v3.22 with the VAP enforcement scope breaking change.
Most read this week: Semgrep , Snyk , Burp Suite , Nuclei , Checkmarx
If you spot anything outdated or wrong on a tool page, reply to this email โ I update pages based on reader feedback.
Worth Reading
The State of Software Supply Chain Security 2026 (Chainguard) โ Annual report with hard data on SBOM adoption rates and CVE remediation timelines across industries. Good ammunition if you’re building a business case for SCA tooling.
KubeCon EU 2026: Shift-Left Is Dead, Long Live Shift-Everywhere โ Liz Rice’s keynote argues that “shift left” created a false binary between dev-time and runtime security. The winning tools are the ones covering both.
Semgrep vs. OpenGrep: A Technical Fork Analysis (Trail of Bits blog) โ Detailed breakdown of how the two codebases are diverging, which rule sets are compatible, and what it means for teams that need to pick a side.
OWASP SBOM Forum: Minimum Viable SBOM Requirements โ If you’re generating SBOMs for compliance, this draft spec defines what “good enough” actually looks like. Worth reading before your next audit.
Wrapping Up
That’s issue #1 โ 29 releases tracked across 10 categories.
I track 69 GitHub repos, 91 vendor blogs, and industry news sources every week. If a tool ships a release, changes its pricing, or gains traction โ it’ll show up here.
If you found this useful, forward it to a colleague who’d benefit.
And if I missed something or got something wrong, just reply โ I read every response.
See you next Tuesday.
AppSec Santa Weekly covers new tools and the latest releases from 196+ AppSec tools. Browse all tools or subscribe for weekly updates.