Releases: draugr-dev/draugr
Releases · draugr-dev/draugr
Release list
v0.20.0
Added
draugr diff <base.sarif> <head.sarif>— compare two scans and classify every finding as
new / fixed / unchanged, with a delta by severity and priority. The headline use case is a
PR's security impact vs its base branch. Adds a differential gate (--fail-on-new/
--fail-on-new-priority) that fails a build only for findings the change introduces, not the
pre-existing backlog — so gating stays adoptable. Renders asconsole,markdown(a ready-made
MR comment), orjson. Findings are matched line-insensitively, so carried-over findings that
merely moved lines aren't reported as fixed + new.- Two more
draugr scan --formatoutputs.htmlrenders a self-contained, browser-viewable
report (inline CSS, no assets) you can publish as a build artifact;junitemits JUnit XML so
CI systems (GitLab, Jenkins, Azure DevOps…) surface findings in their native test-results panel
— one<testsuite>per control, one failing<testcase>per finding. Both plug into the same
Reporter interface asconsole/markdown/json/sarif.
v0.19.0
Added
- Human-readable report formats, independent of GitHub/ADO.
draugr scan --formatselects
the stdout format:console(a grouped summary — verdict, P1–P4 counts, "fix first"),
markdown(portable for GitLab/Bitbucket MR comments, wikis, Slack), plusjsonand
sarif. Built on a new pluggable Reporter interface (first slice of #58).
Changed
draugr scannow prints the console summary by default instead of raw JSON — the common
interactive/CI-log case is now readable at a glance. Use--format json(or--outputfor
report.json+results.sarif) for machine consumption.--outputis unchanged.
v0.18.0
Added
draugr controls— list the security controls Draugr can run: what each checks, its
scope, and which scanner(s) implement it (default, plus opt-in alternatives like gosec marked
*). Makes it easy to see what Draugr covers and how to enable each control.draugr tools listnow shows a CONTROLS column — which control(s) each tool backs (e.g.
trivy→images,sca,iac), so it's clear why a given scanner matters.controlsmaps
control → scanners;tools listmaps tool → controls.
v0.17.0
Added
draugr self-update— update the running binary in place to the latest release (or a
pinned--version), verified against the release's SHA-256 checksums and, when thecosign
CLI is present, its keyless signature.--checkreports current vs latest without changing
anything;-yskips the prompt. Because it replaces the binary you're actually running, it
avoids the stale-copy/PATH confusion of having draugr installed in two places. (CI should
still pin a release.)draugr doctornow reports your Draugr version vs the latest available (best-effort,
short timeout), nudgingself-updatewhen you're behind. Opt out with--offlineor
DRAUGR_NO_UPDATE_CHECK=1; it never blocks or fails the command.draugr tools installshows an install plan and confirms interactively. It prints the
plan first — tool, version, category, verification, destination — and asks for
confirmation on a TTY (-yto skip,--dry-runto only preview); CI/pipes proceed
automatically.- cosign is now installable (
draugr tools install cosign) — a pinned, SHA-256-verified
utility. It's what Draugr uses to verify other tools' and its own releases' provenance, so
making it installable lets signature verification "just work" without hunting for it. Optional:
doctorreports it but never fails when absent. draugr tools listgained a CATEGORY column (scanner vs utility).
Changed
draugr self-updatenow prompts only when interactive (consistent withtools install):
a TTY gets the prompt; CI/pipes proceed automatically.-ystill skips it.
v0.16.0
Added
draugr scan -j/--jobs N— cap how many scan jobs run in parallel (0= auto, one per
CPU;1= serial). Scanners like Trivy and Semgrep are themselves multi-threaded, so on a
small or busy machine the default can oversubscribe and slow a run down —-jlets you dial
it in (down on a laptop, up on a big CI runner). The run's JSONstatsnow also reports the
effectiveconcurrencyand thededupedcount (identical jobs collapsed in-run), so
you can see the effect and tune from evidence.
v0.15.0
Added
- SLSA build provenance for releases. Each release now publishes signed build provenance
attestations for its archives andchecksums.txt(GitHubattest-build-provenance), so you
can verify where and how a binary was built:
gh attestation verify draugr_<ver>_<os>_<arch>.tar.gz --repo draugr-dev/draugr. This is on
top of the existing cosign-signed checksums and SBOMs.
v0.14.0
Added
- gosec as a second
sastscanner. Thesastcontrol can now run gosec — a
Go-specialized static analyzer — alongside (or instead of) Semgrep. Select the scanner set
withcontrollers.sast.scanners: [semgrep, gosec](default[semgrep]); it works at the
project level or as a per-component override, so you can enable gosec just on your Go
components.draugr tools install gosecprovisions a pinned, SHA-256-verified binary, and
draugr doctorknows about it. gosec is Go-only (it errors on non-Go repos), which is why
it's opt-in.
v0.13.0
Changed
- Releases now sign with the modern Sigstore bundle. The release's
checksums.txtis
signed with keyless cosign into a singlechecksums.txt.sigstore.jsonbundle (via
cosign-installer v4), replacing the separatechecksums.txt.sig+.pemfiles. Verify with
cosign verify-blob --bundle checksums.txt.sigstore.json --certificate-identity-regexp … ….
The self-scan, the GitHub Action, and the docs verify the new bundle; the install/quickstart
recipes are updated accordingly.
Added
draugr tools installnow verifies upstream cosign signatures (where the upstream
publishes them), on top of the mandatory SHA-256 pin. For Trivy, Draugr verifies the keyless
signature over the release's checksums file — checking the signing certificate identity and
OIDC issuer via thecosignCLI, then confirming the downloaded archive is listed in the
signed checksums — giving signed provenance, not just integrity. It degrades gracefully to
SHA-256-only (with a note) whencosignisn't installed or the upstream isn't signed (e.g.
gitleaks); ifcosignis present but verification fails, the install aborts. Each installed
tool reports what was verified.
v0.12.1
Changed
- Action metadata for the GitHub Marketplace. Renamed the action to
Draugr Security Scan (a Marketplace name must be unique across all actions/users/orgs)
and shortened its description to meet the 125-character limit. No behavior or input change —
uses: draugr-dev/draugr@…is unchanged.
Added
- First-party GitHub Action. Add Draugr to CI and GitHub code scanning with
uses: draugr-dev/draugr@vX.Y.Z— it downloads a cosign-verified Draugr release for the
runner, runsdraugr scanagainst your Saga, and exposes the merged SARIF (sarifoutput)
forupload-sarif, so findings land as one clean Draugr tool in the Security tab.
Inputs coversaga,version,fail-on,fail-on-priority,min-priority,cache-dir,
output,working-directory, and a raw-argsescape hatch; the release signature is
cosign-verified by default. Draugr's own self-scan now dogfoods this action.
v0.12.0
Added
- First-party GitHub Action. Add Draugr to CI and GitHub code scanning with
uses: draugr-dev/draugr@vX.Y.Z— it downloads a cosign-verified Draugr release for the
runner, runsdraugr scanagainst your Saga, and exposes the merged SARIF (sarifoutput)
forupload-sarif, so findings land as one clean Draugr tool in the Security tab.
Inputs coversaga,version,fail-on,fail-on-priority,min-priority,cache-dir,
output,working-directory, and a raw-argsescape hatch; the release signature is
cosign-verified by default. Draugr's own self-scan now dogfoods this action.