Skip to content

v0.3.0

Choose a tag to compare

@ack1d ack1d released this 18 Feb 23:49

What's new in 0.3.0

This release focuses on DX and configuration: rule filtering from pyproject.toml,
built-in profiles, WebSocket support in the CLI, and a full integration test suite
across FastAPI, Litestar, and Starlette.

Highlights

  • Configuration - [tool.asgion] in pyproject.toml or .asgion.toml:
    min_severity, include_rules, exclude_rules, categories, glob patterns ("SEM-*").
  • Built-in profiles - --profile strict / recommended / minimal in CLI,
    or BUILTIN_PROFILES["recommended"] in Python API.
  • WebSocket checking - asgion check myapp:app --path ws:/ws/chat.
    Protocol prefix (ws:, wss:, http:, https:) determines scope type.
  • SEM-012 - CORS misconfiguration: Access-Control-Allow-Origin: * +
    Access-Control-Allow-Credentials: true (WARNING).
  • SEM-013 - text/* response missing charset in Content-Type (INFO).
  • CLI deduplication - repeated violations across multiple --path values
    are grouped in text output and collapsed in JSON (count, paths, summary.unique).

Breaking Changes

Rule IDs changed. All gaps in ID sequences eliminated — if you reference
rule IDs in config files or suppression lists, update them:

Series Old range New range
HE 005, 010–028 004, 005–023
HF 003–015 002–012
WE 002–023 001–016
LE 003, 004, 006 002, 003, 004
EX-001..008 (extension field rules) HE-016..023

Layer names renamed in categories config:

  • "extension" -> "http.extension"
  • "semantic" -> "http.semantic"

--url renamed to --path in asgion check.