Skip to content

Security & SBOMs

Maho publishes a Software Bill of Materials (SBOM) for every project in the mahocommerce organization, plus daily vulnerability scans against those SBOMs. Both are public and version-controlled in the MahoCommerce/sboms repository.

In practice this means anyone (a prospective user doing due diligence, a sysadmin running Maho in production, or a security team auditing their stack) can see exactly which third-party components ship with Maho and which of them have known, fixable CVEs, without having to scan the code themselves.

Current status

Critical High

The badges above update automatically. Click through for the full per-project breakdown in VULNERABILITIES.md.

What you get

  • One CycloneDX 1.5 SBOM per repository, per release, refreshed daily.
  • Daily vulnerability scans using two independent engines (Grype and Trivy), with results merged so you don't have to reconcile them yourself.
  • A focus on actionable findings: vulnerabilities without an upstream fix are filtered out, so what you see is what you (or we) can do something about.

Reporting a vulnerability

If you've found a security issue in Maho itself, please follow the disclosure process in the main repository's security policy rather than opening a public issue.