Roadmap
Updated 2026-06 for v2.8.4. The full ROADMAP.md lives in the repo.
✓ Shipped
v2.8.4
2026-06-10GUI-focused quality + UX. 2 Critical + 7 High + 12 Medium/Low bugs (grid overlap, multi-target window crash, prefs corruption, filter persistence, patchstack token wiring, exit-during-scan thread join, mobile_api CORS). 10 UX wins (4 new keyboard shortcuts, sash position persistence, multi-select, "Copy CLI" + "★ Star" toolbar buttons). Closes the biggest UX gap: GUI now surfaces the v2.8.x emit/push/ai families (14 export formats + 16 push providers + 3 AI helpers) via Export As… / Push to… submenus + right-click context items. Mobile PWA gains POST /api/scan, per-finding detail, OPTIONS preflight, and a QR-code launcher. +31 tests (1066 → 1097).
v2.8.3
2026-06-01
Bug-fix + dead-code-cleanup + test-coverage-boost. 5 new checks
(Interactivity API XSS, WC Stores API rate-limit oracle, HPOS
drift, cookie cosmetic-vs-blocking, plugin slug-squat). 3 new
integrations (Sentry / DataDog / DefectDojo). 1 new AI helper
(LLM-generated WAF rules). 9 UX wins:
wpsecscan init,
check disable/enable,
benchmark,
export-config,
compare-pypi-version,
SOCKS5 proxy fix, GUI Quick-scan button + severity legend,
--single-page-html.
+61 tests (1005 → 1066).
v2.8.2
2026-05-31
Hotfix + dead-code wiring. Fixed v2.8.1 CI progress-callback
signature regression + argparse --out/--output
abbreviation conflict. Wired the v2.8.1 SDK modules to real
CLI surface: wpsecscan emit
(14 export formats), push
(13 integrations), ai
(6 LLM helpers). +75 tests.
v2.8.1
2026-05-3117 new WP/WC defensive checks (cart-abandonment XSS, Stripe Connect state-CSRF, ActivityPub leak, FSE global-styles, multisite IDOR/RBAC, Next.js secret leak, AI-agent tool injection, WC multi-vendor IDOR, WebAuthn RP-ID, WC refund-flow IDOR …). 13 new integrations (GitLab CI / CircleCI / Azure DevOps / Buildkite / Shortcut / Plane / Nuclei / OSV / ExploitDB / Wiz / chat / hosting / automation). 11 AI helpers + 16 compliance frameworks (HIPAA / GDPR / FedRAMP / CE+ / E8 / CMMC L2 / SPDX / in-toto / CEF / LEEF / SCIM / multi-tenant / white-label / CAB / risk-register / attestation-letter).
v2.8.0
2026-05-31Third mega-audit pass. 57 fixes/additions: 46 bugs + 5 features (WC coupon-enum, headless CORS lockdown, Trusted Types CSP, 5-tier smart-explain, interactive HTML dashboard with filter+search) + 8 UX wins.
v2.7.0 – v2.7.3
2026-05-24 – 2026-05-27PyPI Trusted Publishing (OIDC). 15 enterprise integrations: Vault/1Password secret read, Snyk import, HackerOne template, VirusTotal/urlscan enrichment, MSFT Sentinel KQL, AWS Security Hub, GCP SCC, PagerDuty AIOps, statuspage, Linear/Asana/ClickUp/Monday push, Teams reaction snooze. ZAP + Wapiti exports. Two mega-audit bug-fix waves.
v2.4.0 – v2.6.x
2026-05-23 – 2026-05-24Round-66 through Round-72 feature waves (collapsed): marketplace + check signing, attack checkpoint resume, checkpoint compare, share-link finder, daemon REST API, continuous-monitor framework, scheduler v2, RBAC/SSO/SAML/OIDC, audit-log HMAC chain, mobile PWA, replay-prompt, freeze/restore, tournament mode, AI-agent recommended-probes, triage TUI, rotation cron sharder.
v2.3.0 (Round-65)
2026-05-24Group C — 10 AI-triage features (opt-in, behind Advanced AI options panel). Opt-in transparent local-first usage analytics.
v2.2.0 (Round-64)
2026-05-24165 features across 18 groups: active exploit verification, continuous monitors, 10-provider threat-intel federation, SLSA L3 signed releases, 26 new attack-surface checks, enterprise mode, 9 distribution channels.
v2.1.0 (Round-63)
2026-05-238-source nightly CVE aggregator.
v2.0.0 (Round-62)
2026-05-20AGPLv3 relicense. WP companion plugin. 15 compliance frameworks.
⏳ In progress (next 30 days)
- • Real third-party security audit (RFI to PFI firms)
- • OpenSSF Scorecard score > 7.0
- • React Native + Capacitor mobile clients (PWA shipped; native still scaffolded)
- • ✓ DONE in v2.7.3: public release on PyPI with PEP 740 Sigstore attestations
📅 v2.9.0 (Q3 2026)
- • Subpackage rename refactor —
integrations_v27/perf_v27/mobile_v27/trust_v27/edu_v27consolidated under their canonical names - • Full
rbac.require()wiring across the CLI dispatch;sso.jsonconsumption at daemon startup; approval-workflow gate on marketplace install - • Local RAG CVE corpus (offline-first vector search)
- • Offline quantized model bundle (~2GB GGUF) for AI helpers without an API key
- •
json_migrations.load_versioned()wired into all 3 unversioned-JSON readers - • SOC2 TSC control catalogue (
wpsecscan ai control-map --framework soc2currently returns "not yet shipped") - • GUI tab-order audit, multi-target window with per-URL status, splash screen during slow imports
- • Kubernetes operator implementation
- • Distributed coordinator across N workers
- • Check marketplace (third-party check signing + community trust score)
- • Spanish + German GUI localisation
📅 Q4 2026 (v3.0.0)
- • EV code-signing certificate (Defender FP elimination)
- • E&O insurance program
- • Third-party audit report published
- • Annual State of WP Security report (inaugural edition)
✗ Things we will NOT do
- • Add telemetry that's not opt-in (PROMISE)
- • Move to a paid-only model — the open-source scanner stays open
- • Accept code from PRs without unit tests
- • Add JS-runtime requirements to the .exe distribution (keeps Defender FP rate low)
Influence the roadmap
Tell us what you'd find most useful. Direct line to the maintainer.