Skip to content

qwexvf/aegis-cli

v0.17.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 22d CLI & Terminal
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

ast-analysis cli cve dependency-scanner security go
+13 more
lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Affected surfaces

auth rbac

ReleasePort's take

Light signal
editorial:auto 13d

aegis v0.17.0 adds aegis.yml for team configuration and extends scanning to GitHub Actions workflows. SARIF 2.1.0 output enables Code Scanning integration; --fail-on becomes --min-severity (backwards-compatible).

Why it matters: Deploy aegis.yml to standardize dependency scanning across teams. For GitHub Code Scanning users, test SARIF integration in dev. The flag rename is non-breaking—existing scripts continue working.

Summary

AI summary

New aegis.yml project config file introduces default flag settings.

Changes in this release

Feature Medium

`aegis ci --sarif` emits package scan findings as SARIF 2.1.0 for GitHub Code Scanning.

`aegis ci --sarif` emits package scan findings as SARIF 2.1.0 for GitHub Code Scanning.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

`aegis ci --scan-actions` now works with `--actions-fail-on` to scan packages and GitHub Actions workflows.

`aegis ci --scan-actions` now works with `--actions-fail-on` to scan packages and GitHub Actions workflows.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Place aegis.yml at repository root to set default flag values for the team.

Place aegis.yml at repository root to set default flag values for the team.

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

`aegis ci --suggest` prints remediation commands for every blocked dependency across 9 ecosystems.

`aegis ci --suggest` prints remediation commands for every blocked dependency across 9 ecosystems.

Source: llm_adapter@2026-05-21

Confidence: low
Feature Medium

Added 5 new real-world incident tests for VCS dependency detection and specific library vulnerabilities.

Added 5 new real-world incident tests for VCS dependency detection and specific library vulnerabilities.

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Config enum validation added at load time to immediately error on bad `fail_on` values.

Config enum validation added at load time to immediately error on bad `fail_on` values.

Source: llm_adapter@2026-05-21

Confidence: low
Deprecation Medium

`--fail-on` renamed to `--min-severity` in `aegis actions scan`; `--fail-on` kept as deprecated alias.

`--fail-on` renamed to `--min-severity` in `aegis actions scan`; `--fail-on` kept as deprecated alias.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Silenced `LoadActionsIgnore` error in `ci --scan-actions`.

Silenced `LoadActionsIgnore` error in `ci --scan-actions`.

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

`PhysicalLocation` now pointer with `omitempty` in SARIF output.

`PhysicalLocation` now pointer with `omitempty` in SARIF output.

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

What's New

Project Config File — aegis.yml

Place aegis.yml at the repository root to set default flag values for the whole team:

version: 1
ci:
  fail_on: block
  scan_actions: true
  actions_fail_on: high
  sarif: true
actions:
  fail_on: high

CLI flags always override the config file.

aegis ci --sarif

Emit package scan findings as SARIF 2.1.0 for GitHub Code Scanning:

- run: aegis ci --scan-actions --sarif > aegis.sarif
- uses: github/codeql-action/upload-sarif@v3
  with: {sarif_file: aegis.sarif}

aegis ci --scan-actions + --actions-fail-on

Scan both packages and GitHub Actions workflows in one command. Control each threshold independently:

aegis ci --scan-actions --actions-fail-on medium

aegis ci --suggest

Print remediation commands for every blocked dependency:

[email protected]  [block]
  ⚠  CVE-2021-23337: https://github.com/advisories/...
  →  npm install lodash@latest

Supports all 9 ecosystems (npm, pip, bundle, cargo, go get, mvn, composer, dotnet, gleam).

aegis actions scan --min-severity

Renamed --fail-on to --min-severity for consistency with the severity vocabulary. --fail-on kept as a deprecated alias.

New Incident Tests

5 new real-world incident tests: VCS dependency detection (PyPI/Cargo/RubyGems), @solana/web3.js 2024 obfuscated payload, node-ipc 2022 protestware postinstall.

Other

  • actions/cache/restore subpath heuristic test
  • Config enum validation at load time (bad fail_on values error immediately)
  • Fixed: silenced LoadActionsIgnore error in ci --scan-actions
  • Fixed: PhysicalLocation now pointer with omitempty in SARIF output

Security Fixes

  • CVE-2021-23337
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

Sign up free

About qwexvf/aegis-cli

All releases →

Related context

Beta — feedback welcome: [email protected]