Skip to content

Release Notes v0.4.0

Release date: 2026-02-26

Overview

This release adds comprehensive SVG security scanning and sanitization to detect and remove malicious elements that could enable XSS attacks or session hijacking. Security scanning is now integrated into the processing pipelines with full CI support.

New Features

Security Scanning Package

New svg/security package for programmatic security scanning with 7 threat types:

Threat Type Severity Description
ThreatScript Critical Script elements, javascript:/vbscript: URIs
ThreatEventHandler Critical Event handler attributes (onclick, onload, etc.)
ThreatExternalRef High External URLs, foreignObject elements
ThreatXMLEntity High DOCTYPE/ENTITY declarations (XXE prevention)
ThreatAnimation Medium Animation elements (animate, set, etc.)
ThreatLink Medium Anchor elements
ThreatStyleBlock Low Style elements

Scan Levels:

  • ScanLevelStrict — Detects all 7 threat types
  • ScanLevelStandard — Detects only critical/high severity threats

Functions:

  • security.SVG(path) — Scan single file
  • security.SVGWithLevel(path, level) — Scan with specified level
  • security.Directory(path) — Scan directory (non-recursive)
  • security.DirectoryRecursive(path) — Scan directory tree

Sanitization

Remove threats while preserving valid SVG content:

  • security.Sanitize(input, output, opts) — Sanitize file
  • security.SanitizeContent(content, opts) — Sanitize in memory

Options:

  • RemoveScripts — Remove script elements only
  • RemoveEventHandlers — Remove on* attributes only
  • RemoveExternalRefs — Remove external URLs only
  • RemoveAll — Remove all threat types (default)

Report Generation

Generate JSON reports following the multi-agent-spec team-report format:

report := security.GenerateReport(results, "project", "version")
jsonBytes, _ := report.ToJSON()

CLI Commands

Command Description
brandkit security-scan [path] Scan with --report, --strict, --project, --version flags
brandkit security-scan-all [path] Recursive scanning for CI
brandkit sanitize <input> -o <output> Remove threats with selective options

Pipeline Integration

The white and color commands now include security scanning by default:

# Fails if threats detected (default)
brandkit white icon.svg -o icon_white.svg

# Warns but doesn't fail
brandkit white icon.svg -o icon_white.svg --insecure

Library functions ProcessWhite() and ProcessColor() also include security scanning.

MkDocs Documentation

Comprehensive documentation site using MkDocs Material theme:

  • CLI Reference for all commands
  • Library API documentation
  • Security Guide with threat descriptions
  • Brand asset catalog

Build: mkdocs build Serve locally: mkdocs serve

WhatsApp Brand Icons

New brand icons for WhatsApp:

  • icon_orig.svg
  • icon_white.svg
  • icon_color.svg

CI/CD

  • Security scanning step added to verify.yaml workflow
  • Uses standard mode (--strict=false) to allow low-severity style blocks

File Structure

svg/security/
  security.go      # Core scanning (7 threat types, scan levels)
  sanitize.go      # Sanitization with configurable options
  report.go        # Team-report JSON generation
  security_test.go # 24 unit tests

docs/
  index.md              # Home page
  getting-started.md    # Quick start guide
  cli/                  # CLI command reference
  library/              # Go API documentation
  security/             # Security guide
  brands.md             # Brand asset catalog
  tools/                # Interactive tools

mkdocs.yml              # MkDocs configuration

Requirements

  • Go 1.24+ (for brandkit CLI)
  • Python 3.8+ with mkdocs-material (for documentation)