Hipcheck 3.15.0 Release
Written by Andrew Lilley Brinker
Posted on May 6, 2026
Hipcheck 3.15.0 is out! This release includes enhancements to affiliation analysis, official support for Arm64 Linux, improvements to the plugin API in the Rust SDK, and more.
For the unfamiliar, Hipcheck is a tool to help open source software users decide what dependencies to use by assessing project practices and by detecting possible malicious activity.
🚚 What's Been Released?
| Package | New Version |
|---|---|
hc | 3.15.0 |
mitre/activity plugin | 0.6.0 |
mitre/affiliation plugin | 0.6.0 |
mitre/binary plugin | 0.5.0 |
mitre/churn plugin | 0.6.0 |
mitre/entropy plugin | 0.6.0 |
mitre/fuzz plugin | 0.4.0 |
mitre/git plugin | 0.6.0 |
mitre/github plugin | 0.5.0 |
mitre/identity plugin | 0.6.0 |
mitre/linguist plugin | 0.5.0 |
mitre/npm plugin | 0.5.0 |
mitre/review plugin | 0.5.0 |
mitre/typo plugin | 0.5.0 |
Rust SDK (hipcheck-sdk on Crates.io) | 0.7.0 |
If you're using any of these plugins, be sure to bump their version constraints in your policy file to get the new releases:
- plugin "mitre/activity" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/activity.kdl"
- plugin "mitre/affiliation" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/affiliation.kdl"
- plugin "mitre/binary" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/binary.kdl"
- plugin "mitre/churn" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/churn.kdl"
- plugin "mitre/entropy" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/entropy.kdl"
- plugin "mitre/fuzz" version="^0.3" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/fuzz.kdl"
- plugin "mitre/git" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/git.kdl"
- plugin "mitre/github" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/github.kdl"
- plugin "mitre/identity" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/identity.kdl"
- plugin "mitre/linguist" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/linguist.kdl"
- plugin "mitre/npm" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/npm.kdl"
- plugin "mitre/review" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/review.kdl"
- plugin "mitre/typo" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/typo.kdl"
+ plugin "mitre/activity" version="^0.6" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/activity.kdl"
+ plugin "mitre/affiliation" version="^0.6" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/affiliation.kdl"
+ plugin "mitre/binary" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/binary.kdl"
+ plugin "mitre/churn" version="^0.6" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/churn.kdl"
+ plugin "mitre/entropy" version="^0.6" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/entropy.kdl"
+ plugin "mitre/fuzz" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/fuzz.kdl"
+ plugin "mitre/git" version="^0.6" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/git.kdl"
+ plugin "mitre/github" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/github.kdl"
+ plugin "mitre/identity" version="^0.6" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/identity.kdl"
+ plugin "mitre/linguist" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/linguist.kdl"
+ plugin "mitre/npm" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/npm.kdl"
+ plugin "mitre/review" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/review.kdl"
+ plugin "mitre/typo" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/typo.kdl"📦 New Features
👥 Enhanced mitre/affiliation with GitHub profile information
The mitre/affiliation plugin performs affiliation analysis,
looking for contributors to a project who may be affiliated with a configurable
set of "organizations of concern," or who may not have an identifiable
affiliation.
Historically, this analysis was very limited and used only the identity information available on a source repository's Git commits. This is both subject to misinformation (users can freely provide whatever identity information they want), and is also a very limited data source.
To make this analysis more robust, we've added support for enriching identity information with additional data pulled from contributors' GitHub accounts. This is done opportunistically — if it's possible to match a Git contributor to a GitHub account, and if the relevant metadata is there, then Hipcheck will use it — so contributors without a GitHub account will continue to be matched with the existing mechanism.
This change is transparent, so simply upgrading to version 0.6.0 of the
mitre/affiliation plugin in your policy file will get you the enhanced
analysis.
💻 Support for arm64 Linux
Since GitHub added support for arm64 Linux runners to GitHub Actions,
we've added arm64 Linux as an officially supported platform for all releases
going forward. This means we'll produce prebuilt binaries for hc and all
Hipcheck plugins for arm64 Linux, and our download manifests will be expanded
to include that platform.
📋 Detect .spdx.json as an SPDX JSON input
Hipcheck supports SPDX Software Bills of Material (SBOMs) as an input format.
Normally Hipcheck tries to infer the "target type" from the URI
provided; for example for local files it'll look at the file extension. With
this release, that inference now infers that any file with the extension
.spdx.json is an SPDX JSON file.
🔌 Error when a plugin is not in a policy file's plugins section
Policy files are how you set what analyses Hipcheck should run
and how to score the results. Analyses are provided by plugins, which need to
be declared in a plugins section in the policy file.
Previously, Hipcheck would silently continue without issuing an error or
warning if a plugin was not listed in a policy file's plugins section but
was used in the analyze section, only if the plugin could be found in
Hipcheck's on-disk plugin cache.
With this release, Hipcheck now produces an error, reminding you to add the
plugin to the plugins section if you want to use it. This makes usage of
Hipcheck more predictable and ensures users don't have silently-broken policy
files that work on their machine but won't work on other machines.
🧰 Improved query registration API in the Rust SDK
The Rust Hipcheck SDK enables you to write custom plugins for Hipcheck in Rust. It's actually how we define our own first-party plugins. This release improves the mechanism for registering queries in a plugin you define with this SDK.
"Queries" are the actual "functions" supported by the plugin. A
plugin declares queries that can be called by other plugins, and the results
returned by plugin queries are cached by hc to enable reuse during a Hipcheck
run (allowing, for example, multiple analyses to reuse some
expensive-to-compute intermediate data like Git diffs).
With this new API, you continue to annotate query functions (functions that are
registerable as queries within a plugin) with the #[query] macro. This defines
the query.
Then you can register your queries using the queries! macro inside of the
Plugin trait impl, like this example from the mitre/affiliation plugin:
impl Plugin for AffiliationPlugin {
// ... Other function impls
queries! {
#[default] affiliation
}
}
#[query]
async fn affiliation(engine: &mut PluginEngine, key: Target) -> Result<Vec<bool>> {
// ...
}In the queries! macro you can annotate one query with #[default]. That
defines the "default query," which always takes a Target as its input type
and makes the plugin usable as a "top-level" plugin within a user's policy
file.
🧳 Misc. other improvements
We also made a number of smaller improvements, bumping versions of most dependencies, bumping the Cargo resolver to version 3 of the resolution algorithm, and reducing the size of the error type when dealing with policy expression parsing errors.
🗺️ How to Get Involved
We're always looking for new contributors! If you'd like to learn more about Hipcheck and get involved in contributing, please checkout our Roadmap and feel free to get in touch with us through our Discussions board!
⭐️ Thank You to Our Contributors and Supporters
As always, we want to say a big "Thank you!" to everyone who supports the project at MITRE, to our prior government sponsors who have helped advance Hipcheck, and to everyone who has contributed, given feedback, or encouraged us in building it.
The following people contributed to this release: