This PR solves one issue:
- False positives in ESC1 as identified by @vilacham in two articles: The Schrödinger’s ESC1 Vulnerability & The Schrödinger’s ESC1 Vulnerability: Benchmark Update. The new detection logic has been applied to all template-based ESCs.
Additionally, the PR improves the following functionality:
- Previously, when template-based ESCs were identified along with 1+ ESC5 issues on the Certification Authority object itself, Locksmith would only raise the risk score by one point, regardless of how many principals could abuse this configuration. This release adds some granularity to this additional risk.
There were also some minor wording changes. Thanks, Copilot!
What's Changed
- Patches and Lint Removal by @SamErde in #251
- Syncing testing to main by @jakehildreth in #252
- Fix anchor and TOC hyperlink by @SamErde in #253
- Sync testing w/Main by @jakehildreth in #254
- Resolve permissions issue in Deploy MkDocs.yml by @SamErde in #259
- Added description about ESC by @andrePKI in #258
- Updates The Arose From a Demo by @jakehildreth in #260
- fix: new logic should resolve ESC1 false positives. by @jakehildreth in #262
- fix: applied updated ESC1 detection logic to other template-based ESCs by @jakehildreth in #264
- 2025.9.8 - Reduced False Positives! by @jakehildreth in #265
New Contributors
- @andrePKI made their first contribution in #258
- @vilacham provided the impetus to get this release out the door.
Full Changelog: v2025.5.26...v2025.9.8
Contributors
SamErde, vilacham, and 2 other contributors