Skip to content

Releases: draugr-dev/draugr

v0.20.0

Choose a tag to compare

@github-actions github-actions released this 17 Jul 05:17
69101f2

Added

  • draugr diff <base.sarif> <head.sarif> — compare two scans and classify every finding as
    new / fixed / unchanged, with a delta by severity and priority. The headline use case is a
    PR's security impact vs its base branch. Adds a differential gate (--fail-on-new /
    --fail-on-new-priority) that fails a build only for findings the change introduces, not the
    pre-existing backlog — so gating stays adoptable. Renders as console, markdown (a ready-made
    MR comment), or json. Findings are matched line-insensitively, so carried-over findings that
    merely moved lines aren't reported as fixed + new.
  • Two more draugr scan --format outputs. html renders a self-contained, browser-viewable
    report (inline CSS, no assets) you can publish as a build artifact; junit emits JUnit XML so
    CI systems (GitLab, Jenkins, Azure DevOps…) surface findings in their native test-results panel
    — one <testsuite> per control, one failing <testcase> per finding. Both plug into the same
    Reporter interface as console/markdown/json/sarif.

v0.19.0

Choose a tag to compare

@github-actions github-actions released this 17 Jul 04:19
5c9770b

Added

  • Human-readable report formats, independent of GitHub/ADO. draugr scan --format selects
    the stdout format: console (a grouped summary — verdict, P1–P4 counts, "fix first"),
    markdown (portable for GitLab/Bitbucket MR comments, wikis, Slack), plus json and
    sarif. Built on a new pluggable Reporter interface (first slice of #58).

Changed

  • draugr scan now prints the console summary by default instead of raw JSON — the common
    interactive/CI-log case is now readable at a glance. Use --format json (or --output for
    report.json + results.sarif) for machine consumption. --output is unchanged.

v0.18.0

Choose a tag to compare

@github-actions github-actions released this 17 Jul 01:45
2f360e9

Added

  • draugr controls — list the security controls Draugr can run: what each checks, its
    scope, and which scanner(s) implement it (default, plus opt-in alternatives like gosec marked
    *). Makes it easy to see what Draugr covers and how to enable each control.
  • draugr tools list now shows a CONTROLS column — which control(s) each tool backs (e.g.
    trivyimages,sca,iac), so it's clear why a given scanner matters. controls maps
    control → scanners; tools list maps tool → controls.

v0.17.0

Choose a tag to compare

@github-actions github-actions released this 17 Jul 01:20
307410e

Added

  • draugr self-update — update the running binary in place to the latest release (or a
    pinned --version), verified against the release's SHA-256 checksums and, when the cosign
    CLI is present, its keyless signature. --check reports current vs latest without changing
    anything; -y skips the prompt. Because it replaces the binary you're actually running, it
    avoids the stale-copy/PATH confusion of having draugr installed in two places. (CI should
    still pin a release.)
  • draugr doctor now reports your Draugr version vs the latest available (best-effort,
    short timeout), nudging self-update when you're behind. Opt out with --offline or
    DRAUGR_NO_UPDATE_CHECK=1; it never blocks or fails the command.
  • draugr tools install shows an install plan and confirms interactively. It prints the
    plan first — tool, version, category, verification, destination — and asks for
    confirmation on a TTY (-y to skip, --dry-run to only preview); CI/pipes proceed
    automatically.
  • cosign is now installable (draugr tools install cosign) — a pinned, SHA-256-verified
    utility. It's what Draugr uses to verify other tools' and its own releases' provenance, so
    making it installable lets signature verification "just work" without hunting for it. Optional:
    doctor reports it but never fails when absent.
  • draugr tools list gained a CATEGORY column (scanner vs utility).

Changed

  • draugr self-update now prompts only when interactive (consistent with tools install):
    a TTY gets the prompt; CI/pipes proceed automatically. -y still skips it.

v0.16.0

Choose a tag to compare

@github-actions github-actions released this 16 Jul 23:34
07134a4

Added

  • draugr scan -j/--jobs N — cap how many scan jobs run in parallel (0 = auto, one per
    CPU; 1 = serial). Scanners like Trivy and Semgrep are themselves multi-threaded, so on a
    small or busy machine the default can oversubscribe and slow a run down — -j lets you dial
    it in (down on a laptop, up on a big CI runner). The run's JSON stats now also reports the
    effective concurrency and the deduped count (identical jobs collapsed in-run), so
    you can see the effect and tune from evidence.

v0.15.0

Choose a tag to compare

@github-actions github-actions released this 16 Jul 16:01
c98371c

Added

  • SLSA build provenance for releases. Each release now publishes signed build provenance
    attestations
    for its archives and checksums.txt (GitHub attest-build-provenance), so you
    can verify where and how a binary was built:
    gh attestation verify draugr_<ver>_<os>_<arch>.tar.gz --repo draugr-dev/draugr. This is on
    top of the existing cosign-signed checksums and SBOMs.

v0.14.0

Choose a tag to compare

@github-actions github-actions released this 16 Jul 14:55
b69efd7

Added

  • gosec as a second sast scanner. The sast control can now run gosec — a
    Go-specialized static analyzer — alongside (or instead of) Semgrep. Select the scanner set
    with controllers.sast.scanners: [semgrep, gosec] (default [semgrep]); it works at the
    project level or as a per-component override, so you can enable gosec just on your Go
    components. draugr tools install gosec provisions a pinned, SHA-256-verified binary, and
    draugr doctor knows about it. gosec is Go-only (it errors on non-Go repos), which is why
    it's opt-in.

v0.13.0

Choose a tag to compare

@github-actions github-actions released this 16 Jul 03:58
e2dbfa7

Changed

  • Releases now sign with the modern Sigstore bundle. The release's checksums.txt is
    signed with keyless cosign into a single checksums.txt.sigstore.json bundle (via
    cosign-installer v4), replacing the separate checksums.txt.sig + .pem files. Verify with
    cosign verify-blob --bundle checksums.txt.sigstore.json --certificate-identity-regexp … ….
    The self-scan, the GitHub Action, and the docs verify the new bundle; the install/quickstart
    recipes are updated accordingly.

Added

  • draugr tools install now verifies upstream cosign signatures (where the upstream
    publishes them), on top of the mandatory SHA-256 pin. For Trivy, Draugr verifies the keyless
    signature over the release's checksums file — checking the signing certificate identity and
    OIDC issuer via the cosign CLI, then confirming the downloaded archive is listed in the
    signed checksums — giving signed provenance, not just integrity. It degrades gracefully to
    SHA-256-only (with a note) when cosign isn't installed or the upstream isn't signed (e.g.
    gitleaks); if cosign is present but verification fails, the install aborts. Each installed
    tool reports what was verified.

v0.12.1

Choose a tag to compare

@github-actions github-actions released this 16 Jul 03:13
d581be9

Changed

  • Action metadata for the GitHub Marketplace. Renamed the action to
    Draugr Security Scan (a Marketplace name must be unique across all actions/users/orgs)
    and shortened its description to meet the 125-character limit. No behavior or input change —
    uses: draugr-dev/draugr@… is unchanged.

Added

  • First-party GitHub Action. Add Draugr to CI and GitHub code scanning with
    uses: draugr-dev/draugr@vX.Y.Z — it downloads a cosign-verified Draugr release for the
    runner, runs draugr scan against your Saga, and exposes the merged SARIF (sarif output)
    for upload-sarif, so findings land as one clean Draugr tool in the Security tab.
    Inputs cover saga, version, fail-on, fail-on-priority, min-priority, cache-dir,
    output, working-directory, and a raw-args escape hatch; the release signature is
    cosign-verified by default. Draugr's own self-scan now dogfoods this action.

v0.12.0

Choose a tag to compare

@github-actions github-actions released this 16 Jul 02:41
aa16301

Added

  • First-party GitHub Action. Add Draugr to CI and GitHub code scanning with
    uses: draugr-dev/draugr@vX.Y.Z — it downloads a cosign-verified Draugr release for the
    runner, runs draugr scan against your Saga, and exposes the merged SARIF (sarif output)
    for upload-sarif, so findings land as one clean Draugr tool in the Security tab.
    Inputs cover saga, version, fail-on, fail-on-priority, min-priority, cache-dir,
    output, working-directory, and a raw-args escape hatch; the release signature is
    cosign-verified by default. Draugr's own self-scan now dogfoods this action.