OIDC federation between GitHub Actions and Takumi Guard / Shisho Cloud now operates reliably even when connectivity to GitHub is unstable.

Takumi blackbox assessments now crawl more pages within the credit limit you set, improving endpoint discovery coverage.

Takumi Guard now supports RubyGems alongside npm and PyPI.

Ruby projects using Bundler can now route installs through Takumi Guard to block known-malicious packages before they reach your CI or development environment.

Vulnerability Verification now supports vulnerabilities beyond Takumi assessment results. You can verify findings from bug bounties, third-party audits, and other sources directly in Takumi.

Takumi Guard now supports organization-level breach notifications. When a package you previously downloaded through Guard is later flagged as malicious, notifications can now be delivered to a webhook endpoint and an email address that your organization chooses.

You can now issue organization user tokens (tg_org_) directly from the Takumi Guard tokens page in the Shisho Cloud console. In addition to the existing Guard API flow, you can now issue new tokens in just a few clicks.

Assessment reports from whitebox and blackbox assessments can now be exported as PDF.

We've added Vulnerability Verification to Takumi blackbox assessments. This feature lets you verify whether a vulnerability detected in a past assessment has actually been fixed.

Takumi Guard now provides deployment scripts for organization-wide setup. Administrators can roll out Guard to all developer machines using their existing management tools — no developer interaction required.

Takumi Guard now provides searchable package installation logs for your organization. Track every npm and PyPI package download that passes through the Guard registry proxy.