qwexvf/aegis-cli

v0.28.0 Feature

This release adds 5 notable features for engineering teams evaluating rollout.

Published 3d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Affected surfaces

deps

Summary

AI summary

Broad release touches @qwexvf, Bug fixes, Other, and cli.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Adds aegis --version flag, handles --json/--sarif conflict, adds image scan --fail-on option. Adds aegis --version flag, handles --json/--sarif conflict, adds image scan --fail-on option. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Low	Adds Hex.pm and pub.dev registry clients for package source fetching. Adds Hex.pm and pub.dev registry clients for package source fetching. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Low	Expands supported ecosystems to include R/CRAN, Haskell/Hackage, Perl/CPAN (total 15). Expands supported ecosystems to include R/CRAN, Haskell/Hackage, Perl/CPAN (total 15). Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Low	Strengthens heuristics with new source patterns for R, Perl, Dart, Swift, Elixir and adds typo‑squat lists. Strengthens heuristics with new source patterns for R, Perl, Dart, Swift, Elixir and adds typo‑squat lists. Source: llm_adapter@2026-05-31 Confidence: high	—
Feature	Low	Implements licensefetch for Cargo, RubyGems, NuGet and improves CocoaPods detection. Implements licensefetch for Cargo, RubyGems, NuGet and improves CocoaPods detection. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix
Bugfix	Medium	Enforces mutual exclusivity of allow/deny‑licenses flags and names --min-severity in error messages. Enforces mutual exclusivity of allow/deny‑licenses flags and names --min-severity in error messages. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Correctly resolves npm licenses and handles deps.dev deprecation during enrichment. Correctly resolves npm licenses and handles deps.dev deprecation during enrichment. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Factors advisories into explain verdict and searches dependencies across all ecosystems. Factors advisories into explain verdict and searches dependencies across all ecosystems. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Prevents recommending downgrades and adds upgrade commands for pub, Swift, CRAN, Hackage, CPAN, CocoaPods, Hex. Prevents recommending downgrades and adds upgrade commands for pub, Swift, CRAN, Hackage, CPAN, CocoaPods, Hex. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Emits detected vulnerabilities in SPDX SBOM output for compliance reporting. Emits detected vulnerabilities in SPDX SBOM output for compliance reporting. Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Low	Falls back to local offline engine when Cloud unreachable and rechecks --fail-on-error flag. Falls back to local offline engine when Cloud unreachable and rechecks --fail-on-error flag. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Strips cabal 'any.' constraint prefix in Hackage parser instead of skipping entries. Strips cabal 'any.' constraint prefix in Hackage parser instead of skipping entries. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Defeats split‑string obfuscation in malware‑pattern matcher heuristics. Defeats split‑string obfuscation in malware‑pattern matcher heuristics. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Lowercases CocoaPods error strings for consistent lint output. Lowercases CocoaPods error strings for consistent lint output. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Corrects ecosystem casing and skips unsupported ecosystems during OSV vulnerability lookup. Corrects ecosystem casing and skips unsupported ecosystems during OSV vulnerability lookup. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Rejects malformed go.sum and requirements.txt entries in parsers. Rejects malformed go.sum and requirements.txt entries in parsers. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Drops redundant int type in Hex and pub clients (QF1011). Drops redundant int type in Hex and pub clients (QF1011). Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Scores heuristic capabilities on ecosystems lacking AST scanners. Scores heuristic capabilities on ecosystems lacking AST scanners. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Persists advisories, license info, deprecations, and provenance in aegis.lock during snapshot. Persists advisories, license info, deprecations, and provenance in aegis.lock during snapshot. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—
Bugfix	Low	Gracefully skips unknown ecosystems in astscan instead of erroring. Gracefully skips unknown ecosystems in astscan instead of erroring. Source: granite4.1:30b@2026-05-31-audit Confidence: low	—

Full changelog

aegis-cli v0.28.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Changelog

Features

db65ec9bfb163df9cb8043440b5ecf4903ed3dfa: feat(ast): cocoapods/dart/haskell AST scanners (@qwexvf)
ecb89db5337c6ba8420d26e1cd051de7de893d8a: feat(cli): aegis --version flag, --json/--sarif conflict error, image scan --fail-on (@qwexvf)
21843812bb5ef7cb2fd634987d89f52ab0f9b517: feat(registry): hex.pm and pub.dev clients (@qwexvf)
36a7d7cd20a95510ca6e86a455fd617cdba03a22: feat: add R/CRAN, Haskell/Hackage, Perl/CPAN ecosystems (12→15) (@qwexvf)
26601a3fe4a59e180b7261e079297a73f26a1575: feat: heuristics strengthening — R/Perl/Dart/Swift/Elixir source patterns, CRAN/Hackage/CPAN typosquat lists, 5 new incident fixtures (@qwexvf)
0268356e42093658dd12dbf651df205606828f2b: feat: licensefetch for Cargo/RubyGems/NuGet, CocoaPods ecosystem, fix npx/deno standalone detection (@qwexvf)

Bug fixes

58fe0bef0d59d2eca822d40a0eab8f9da985d9c9: fix(cli): enforce allow/deny-licenses mutual exclusivity; name --min-severity in error (@qwexvf)
1e8a981e2a95b3b16a909dda43e5b0e1ee7f8c5b: fix(enrich): resolve npm licenses and deps.dev deprecation correctly (@qwexvf)
23366373cf50ae6eec5738e454acdef404c33d46: fix(explain): factor advisories into verdict and find deps across ecosystems (@qwexvf)
ccd6dcedc502c181c1e0dbe1c6f66db489ee80cc: fix(fix): never recommend a downgrade; add upgrade commands for pub/swift/cran/hackage/cpan/cocoapods/hex (@qwexvf)
f3c1d7f312a6feff076703dfb07e2e5bdaba3884: fix(gate): fall back to local offline engine when Cloud unreachable; recheck --fail-on-error (@qwexvf)
f80c489e23767e5f7933f7fc048c2c8210869d7c: fix(hackage): strip cabal 'any.' constraint prefix instead of skipping (@qwexvf)
9a078ba8c707711c5b995cac9c886669914c13d0: fix(heuristics): defeat split-string obfuscation in malware-pattern matcher (@qwexvf)
db803a304896e4de87f2c004cfa239f46f055059: fix(lint): lowercase cocoapods error strings (@qwexvf)
3d6719018e6658fa93cb51569eba4a17b2695535: fix(osv): correct ecosystem casing and skip unsupported ecosystems in vuln lookup (@qwexvf)
c37242319592850361bbf71e182c9e9a6f25e75c: fix(parsers): reject malformed go.sum and requirements.txt entries (@qwexvf)
a76e4dd2d525c13b51b4d1b5c669f0a2d5c7c70f: fix(registry): drop redundant int type in hex/pub clients (QF1011) (@qwexvf)
893f2d4f296b1986c5298a51818b76aa4b814588: fix(risk): score heuristic capabilities on ecosystems with no AST scanner (@qwexvf)
82cd45a6aed57913acc898ee7c0da2b9d6881405: fix(sbom): emit vulnerabilities in SPDX output (@qwexvf)
8337b8f18da1f78736134c44fcff1b10c748bcc1: fix(snapshot): persist advisories, license, deprecation, provenance in aegis.lock (@qwexvf)
ce0eb07956fb9d69d35b4dbd46d50bb63f329bf1: fix: astscan gracefully skips unknown ecosystems instead of erroring (@qwexvf)

Documentation

ab5656e53c381d6151702e2a01637deaada08028: docs(site): add aegis analyze --ecosystem / --baseline + neovim section (@qwexvf)
7514c95ee3be70bad6be43cab7c9e1d3975306d6: docs: update README ecosystem table (9→15), CHANGELOG, regenerate man pages (@qwexvf)
066cd0061020f29a6c3d324e069ebacb98e9af6f: docs: v0.28.0 changelog, regenerate man pages, document recheck --fail-on-error and image scan --fail-on (@qwexvf)

Other

8466cc2a01e6fe840087e5f35d0d8aaf6a387abb: merge feat/ast-cocoapods-dart-haskell (@qwexvf)
3a347be2223f6c80e9298a1e74759018f77ee61f: merge feat/registry-hex-pub (@qwexvf)
32e29e41c2cf45c0bdafe83e2a8377248e40cf83: merge test/cocoapods-parser (@qwexvf)
51028a255781ca121fffd02aa5e3bb13c05a6f11: test(cocoapods): add podspec parser tests (@qwexvf)
1053d757774437326b5a8838dafa1ee636527746: test(osv): use strings.Join instead of += loop (modernize lint) (@qwexvf)

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →