qwexvf/aegis-cli

v0.25.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 18d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Summary

AI summary

Secret placeholders like AKIAIOSFODNN7EXAMPLE are now excluded from secret detection.

Changes in this release

Type	Severity	Summary	CVE
Bugfix	Medium	Exclude vendor-published placeholders from secrets handling. Exclude vendor-published placeholders from secrets handling. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	Drop build-tag flavours; ship as one all-in-one binary. Drop build-tag flavours; ship as one all-in-one binary. Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Align README and site documentation with v0.24.0 features and new scan/ layout. Align README and site documentation with v0.24.0 features and new scan/ layout. Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	Regenerate changelog for v0.25.0 and update man pages. Regenerate changelog for v0.25.0 and update man pages. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

aegis-cli v0.25.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Changelog

Bug fixes

07c6b7150fdf2628e4a5a20a5806c6f486dd7d54: fix(secrets): exclude vendor-published placeholders (AKIAIOSFODNN7EXAMPLE) (@qwexvf)

Documentation

7686c3651ee8b474825146236c29753685612145: docs: align README + site docs with v0.24.0 features and new scan/ layout (@qwexvf)
def14f46b1ac0f44ff09173bc1763fa859672686: docs: v0.25.0 changelog, regenerate man pages (@qwexvf)

Other

1109e56953d2ee94f239ba1e7b44310c1e311383: ci: drop aegis-core matrix step (build variant removed in v0.25.0) (@qwexvf)
c624a308de5774c80ca1f654a7499f8e4360d59d: refactor: drop build-tag flavours — ship as one all-in-one binary (@qwexvf)
9888f397b24e397c86712b705f864214cdd1d372: test: cover v0.23.0+ infra — openvex, epss, kev, vulnenrich, depsdotdev, license_policy (@qwexvf)

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →