qwexvf/aegis-cli

v0.27.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 17d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

ReleasePort's take

Light signal

editorial:auto 13d

aegis-cli v0.27.0 adds SBOM PURL support, plugin-spec build-hooks, capability regression detection, and Lua AST scanning with EcoNeovim integration.

Why it matters: Detect plugin capability regressions and scan Lua dependencies with v0.27.0's new AST analysis; test with Neovim-based projects to verify coverage of your plugin ecosystem.

Summary

AI summary

Added SBOM PURL support, plugin-spec build‑hook, capability regression detection, and a Lua AST scanner with EcoNeovim integration.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	SBOM purl + plugin-spec build-hook + capability regression detection added for neovim SBOM purl + plugin-spec build-hook + capability regression detection added for neovim Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature	Medium	lua AST scanner, EcoNeovim, and lazy-lock parser added for neovim lua AST scanner, EcoNeovim, and lazy-lock parser added for neovim Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	Added aegis image scan reference section to the site documentation Added aegis image scan reference section to the site documentation Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Other	Medium	v0.27.0 changelog regenerated and analyze man page updated v0.27.0 changelog regenerated and analyze man page updated Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—

Full changelog

aegis-cli v0.27.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Changelog

Features

5cf2b96db3a54ed48d23e269afff49838e26ac40: feat(neovim): SBOM purl + plugin-spec build-hook + capability regression detection (#95) (@qwexvf)
73b12e5914d840e2480efb0e35a9e5d21b2c05cf: feat(neovim): lua AST scanner + EcoNeovim + lazy-lock parser (#94) (@qwexvf)

Documentation

e9eb20548b75453bade6dd0ea46b222f2caa4383: docs(site): add aegis image scan reference section (@qwexvf)
2a726db3a5e25974f7a8e4aaddb33ff998c1d5d5: docs: v0.27.0 changelog, regenerate analyze man page (@qwexvf)

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →