trustabl · jhumel-code · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
diff --git a/.github/workflows/build-check.yml b/.github/workflows/build-check.yml
@@ -15,13 +15,13 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24
           cache: npm
       - run: npm ci
       - run: npm run typecheck
       - run: npm test
       - run: npm run build
-      # A node20 action runs dist/index.js straight from the consumer's checkout,
+      # A node24 action runs dist/index.js straight from the consumer's checkout,
       # so a stale committed bundle ships stale code. Fail if the freshly built
       # dist/ differs from what's committed.
       - name: Verify dist/ is up to date

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,24 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [0.3.1] — 2026-06-09
+
+### Changed
+
+- **Runtime is now Node.js 24** (`runs.using: node24`). GitHub is deprecating the
+  Node 20 Actions runtime (runners default to Node 24 on 2026-06-16; Node 20 is
+  removed on 2026-09-16), so this moves ahead of the removal. No behavior change —
+  the bundled `dist/` is identical; the build CI and the `engines` field bump to
+  Node 24 to match the runtime.
+
+### Docs
+
+- README + capabilities now document the full SDK coverage (LangChain, CrewAI,
+  Pydantic AI, Vercel AI, AutoGen, MCP servers, and Claude subagents & skills),
+  the opt-in dependency CVE scan, and the complete `detectors` token list; install
+  pins bumped to `v0.3.1`.
+
+
 ## [0.3.0] — 2026-06-09
 
 Tracks trustabl engine **v0.1.4**: consumes the new finding line-range shape and

diff --git a/README.md b/README.md
@@ -5,8 +5,9 @@
 # Trustabl Action
 
 A GitHub Action that runs [trustabl](https://github.com/trustabl/trustabl) — the
-static reliability/safety analyzer for agent-SDK repos (Claude Agent SDK, OpenAI
-Agents SDK, Google ADK, MCP) — and surfaces the results where you work:
+static reliability/safety analyzer for agent repos (Claude Agent SDK, OpenAI
+Agents SDK, Google ADK, LangChain, CrewAI, Pydantic AI, Vercel AI, AutoGen, MCP
+servers, and Claude subagents & skills) — and surfaces the results where you work:
 
 - **Inline PR annotations + the Security tab.** Findings are uploaded to GitHub
   Code Scanning, so they appear on the changed lines in the PR diff and in the
@@ -89,7 +90,7 @@ jobs:
 ## Pinned + gated
 
 ```yaml
-- uses: trustabl/trustabl-action@v0.3.0
+- uses: trustabl/trustabl-action@v0.3.1
   with:
     version: v0.5.0
     detectors: claude_sdk,openai_sdk
@@ -104,7 +105,7 @@ jobs:
 |---|---|---|
 | `target` | `.` | Path or GitHub URL to scan. |
 | `version` | `latest` | trustabl release tag (e.g. `v0.5.0`) or `latest`. |
-| `detectors` | _(all)_ | Comma-separated subset: `claude_sdk,openai_sdk,google_adk,openshell`. |
+| `detectors` | _(all)_ | Comma-separated SDK subset: `claude_sdk`, `openai_sdk`, `google_adk`, `openshell`, `mcp`, `langchain`, `crewai`, `pydantic_ai`, `vercel_ai`, `autogen`. |
 | `strict` | `false` | Pass `--strict` (fail on any finding). |
 | `vuln-scan` | `false` | Match dependencies against a pinned OSV snapshot; report known CVEs as findings. |
 | `rules-ref` | _(default)_ | Pin a `trustabl-rules` git ref. |
@@ -146,6 +147,11 @@ jobs:
   one analysis pass produces both artifacts. Older engines fall back to two scans
   automatically (and the headroom ladder is hidden, since it needs the engine's
   `projected_scores`). Use `version: latest` to get the fast path.
+- **Dependency CVE scan (opt-in).** With `vuln-scan: true`, declared dependencies
+  are matched against a pinned OSV snapshot; each known CVE becomes a finding (so
+  it counts toward the score, gate, annotations, and Security tab), plus a
+  dependencies-scanned / known-vulnerabilities line in every report. The OSV
+  database is fetched once on first use, then cached.
 - **Honest gating.** A failed or empty scan errors the job rather than reporting a
   clean score. The gate decision is exit-code/threshold-based, surfaced in the
   Step Summary and the PR comment.
@@ -165,7 +171,7 @@ After a run, open the run page and find the **`trustabl-scan-results`** artifact
 
 ## Versioning
 
-- Pin a release: `uses: trustabl/trustabl-action@v0.3.0`.
+- Pin a release: `uses: trustabl/trustabl-action@v0.3.1`.
 - Or track the line: `uses: trustabl/trustabl-action@v0` (the moving major tag).
 
 ## Notes
@@ -178,7 +184,7 @@ After a run, open the run page and find the **`trustabl-scan-results`** artifact
 
 ## Development
 
-This is a node20 TypeScript action bundled to `dist/` with
+This is a node24 TypeScript action bundled to `dist/` with
 [`ncc`](https://github.com/vercel/ncc).
 
 ```bash
@@ -189,7 +195,7 @@ npm run build       # bundle to dist/index.js (commit the result)
 npm run all         # all of the above
 ```
 
-`dist/` is committed because a node20 action runs `dist/index.js` directly from
+`dist/` is committed because a node24 action runs `dist/index.js` directly from
 the consumer's checkout of the release tag. The **Build check** workflow fails a
 PR whose `dist/` is stale, so always `npm run build` and commit after changing
 `src/`.
diff --git a/action.yml b/action.yml
@@ -19,7 +19,7 @@ inputs:
     required: false
     default: latest
   detectors:
-    description: Comma-separated SDK detectors (claude_sdk,openai_sdk,google_adk,openshell). Empty = all.
+    description: Comma-separated SDK detectors (claude_sdk,openai_sdk,google_adk,openshell,mcp,langchain,crewai,pydantic_ai,vercel_ai,autogen). Empty = all.
     required: false
     default: ""
   strict:
@@ -136,5 +136,5 @@ outputs:
     description: Whether the SARIF was accepted by Code Scanning (true/false).
 
 runs:
-  using: node20
+  using: node24
   main: dist/index.js
diff --git a/capabilities.md b/capabilities.md
@@ -1,13 +1,14 @@
 ### Trustabl Action — capabilities
 
-- **Static reliability/safety scan** for agent-SDK repos (Claude Agent SDK,
-  OpenAI Agents SDK, Google ADK, MCP) — runs the upstream `trustabl` binary over
-  your checkout, no daemon or hosted service.
+- **Static reliability/safety scan** for agent repos (Claude Agent SDK, OpenAI
+  Agents SDK, Google ADK, LangChain, CrewAI, Pydantic AI, Vercel AI, AutoGen, MCP
+  servers, and Claude subagents & skills) — runs the upstream `trustabl` binary
+  over your checkout, no daemon or hosted service.
 - **Optional dependency CVE scan** (`vuln-scan: true`) — matches declared
   dependencies against a pinned OSV snapshot and reports known CVEs as findings,
   so they ride every surface (score, gate, annotations, Security tab) alongside a
   dependencies-scanned / known-vulnerabilities headline.
-- **node20 TypeScript action, cross-platform** — `ubuntu-*`, `macos-*`,
+- **node24 TypeScript action, cross-platform** — `ubuntu-*`, `macos-*`,
   `windows-*` on x64/arm64; the binary is tool-cached so reruns are fast, and is
   **sha256-verified** against the release `checksums.txt` before it runs.
 - **Inline PR annotations + GitHub Security tab** — findings are uploaded to Code

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "trustabl-action",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "private": true,
   "description": "Static reliability/safety scanner for AI agent repos (Claude, OpenAI, Google ADK, MCP) — GitHub Action.",
   "main": "dist/index.js",
@@ -12,7 +12,7 @@
   },
   "license": "Apache-2.0",
   "engines": {
-    "node": ">=20"
+    "node": ">=24"
   },
   "dependencies": {
     "@actions/artifact": "^2.1.11",