qwexvf/aegis-cli

v0.1.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Summary

AI summary

Comprehensive CLI overhaul adds six new commands, a live UI, drift mode, security caps, and multi‑package‑manager support.

Full changelog

aegis-cli v0.1.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Changelog

Features

c9f11701b9acdf5c463f921d9e003f76512ff2ba: feat(api): real historical-incident database for /supply-chain/check (qwexvf [email protected])
f2b743ee37bdba45a20547cf0ca918ecd704f20e: feat(cli): add aegis CLI with supply-chain check API endpoint (qwexvf [email protected])
4e0cb3125de2fabe7695e36e629c2f3fb60be424: feat(cli): aegis snapshot — project lockfile snapshots in zstd JSON (qwexvf [email protected])
d1f690c91b68bc0b1d09933fbe85b42797cdcbdc: feat(cli): allowlist mechanism — bundled + user + project YAML (qwexvf [email protected])
95ff59c05acf82be2bcaba7057a7e16a87ce61d0: feat(cli): comprehensive overhaul — six new commands, live UI, drift mode, security caps (qwexvf [email protected])
f464c2072a242dbf77ab0710eac5abded1b37afe: feat(cli): multi-PM (npm/bun/yarn/pnpm) + cache/audit/CI/prompt polish (qwexvf [email protected])
7e6f8adbe596e6ac78d4c790fff51daa8b490d19: feat(cli): per-PM build tags + Makefile targets (Marcelo [email protected])
35165ae4a940299f1d61310edfe9f84ad85d6ce5: feat(cli): reliability + perf overhaul — fsync, flock, retry, parallel (qwexvf [email protected])
1b715a5fc4a68650c69b52b66c5a801b85dda708: feat(cli): risk engine — Capability/InstallHook + RiskScore/DriftScore + Verdict + tree-sitter JS scanner (qwexvf [email protected])
fa2f426d9485895772014f2775a79d042c8a9962: feat: public package report graph + community submit API (qwexvf [email protected])

Documentation

4a0d7e8c6811a516c997f9f7aac5081741c1ae00: docs(cli): architecture, risk engine, snapshot reference docs (Marcelo [email protected])
7fc2e38edbe21585bbf3b2b500f81f9939f932ff: docs: migrate CLI architecture / risk-engine / snapshot / demo-plan from monorepo (qwexvf [email protected])

Other

46205a8e3e46ed95a45877b40e19a8ebe681680d: build(cli): strip symbols + nojsscan build tag (-38% binary size) (qwexvf [email protected])
f74d5eb677f1c1610f40b181efea4d2672bd3682: build(deps): bump actions/attest-build-provenance from 1 to 4 (#2) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
0cfb6e06216f9a415e2311e13a50251c18228ad4: build(deps): bump actions/checkout from 4 to 6 (#5) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
05a50e046cee27b25a3f7960f8fe3a2fe9d3ad75: build(deps): bump actions/setup-go from 5 to 6 (#4) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
3fda72be1287db56a3cd7944c1322ff2f14b97db: build(deps): bump goreleaser/goreleaser-action from 6 to 7 (#6) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
493a0fb7a7bca36a2beaa2223a903ba5e8cb61ca: build(deps): bump the go-deps group with 3 updates (#3) (dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>)
57d428b10f771fed5a97dc4865ad2f266abaf229: chore(cli): allowlist review fixes — bugs, design clarity, perf (qwexvf [email protected])
d864c37a7fe65983758b0bdcf95cf2081fcdbf5a: chore(cli): gofmt + staticcheck cleanup (qwexvf [email protected])
239d5bb47894b746d1ce0dd20083bcc6100e5b5b: chore: add Apache-2.0 LICENSE (qwexvf [email protected])
dcf66cd62910c3c91f55b84c9e03ef4c62aa7527: chore: add OSS community files (security, contrib, conduct, templates) (#8) (Marcelo [email protected])
8e1e9b924b59679e046267496b9ee2922264b0a2: chore: polish — README rewrite, GitHub-only contact, singleflight on registry cache (#9) (Marcelo [email protected])
c1443e81edb34dc894721634fc6a8b846e125df5: chore: re-enable errcheck/staticcheck/gofmt + clear lint debt (#7) (Marcelo [email protected])
8ce4c8551708ad7bbfba16db3155b3955f80ca35: chore: rename module to github.com/qwexvf/aegis-cli (qwexvf [email protected])
713c83ea2e4fe1a316949455531629319fb4e8a6: ci: GoReleaser pipeline + signed release workflow + CI matrix (#1) (Marcelo [email protected])
6c5844916d8831d841edb2fec1e9dbd615519e9c: ci: simplify v0.1.0 release matrix to linux-only for cgo builds (#10) (Marcelo [email protected])
aeef7f025c6b88c726cb4920c594368a226932c1: feat(api,cli,web): centralized org allowlist overlay (qwexvf [email protected])
e7d0215304888f09be4862b2eb38e7caa4c9d1b6: refactor(cli): clean architecture (domain / usecase / infra / presenter) (qwexvf [email protected])
873ae1426d8a245f6a71593402d0f24f90d1defe: refactor(cli): replace zerolog with stdlib log/slog (qwexvf [email protected])
3ef94deb42deb10cff79a2fe321741b28cc83718: test(cli): expand test coverage across risk engine + adapters (qwexvf [email protected])

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →