qwexvf/aegis-cli

v0.26.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 17d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Summary

AI summary

Added AST capability scan, multi‑ecosystem support, parallel decompression, and lockfile extraction from OCI/Docker images.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	AST capability scan added for images with multi-ecosystem and parallel decompression AST capability scan added for images with multi-ecosystem and parallel decompression Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature	Medium	aegis image scan now extracts lockfiles from OCI/Docker image tars aegis image scan now extracts lockfiles from OCI/Docker image tars Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature	Medium	walk per-package manifests when lockfiles are missing walk per-package manifests when lockfiles are missing Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	v0.26.0 changelog updated and man pages regenerated v0.26.0 changelog updated and man pages regenerated Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—

Full changelog

aegis-cli v0.26.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Changelog

Features

08352b0c9a9df11ec93aef75e85d77ed23849d97: feat(image): AST capability scan + multi-ecosystem + parallel decompression (#92) (@qwexvf)
ec64144e4003293571b3bfefada8d121ffd05bec: feat(image): aegis image scan — extract lockfiles from OCI/Docker image tars (@qwexvf)
6c2ac8791d2858e2545bf4afa9712c014803edbd: feat(image): walk per-package manifests when lockfiles are missing (#93) (@qwexvf)

Documentation

3ab4d8a0ab28beadecf489b7fa7af2f2eadf40be: docs: v0.26.0 changelog, regenerate man pages (@qwexvf)

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →