Skip to content

v0.27.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Jun 13:32
· 1 commit to main since this release
v0.27.0
2ad546a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Aguara v0.27.0 makes the terminal experience consistent and well-behaved, and adds a native fuzz harness over every parser that reads untrusted input.

Every command now shares one visual language: the same palette, severity icons, framed verdicts, and section layout that scan introduced. And output finally adapts to where it is going - pipe a command, redirect to a file, or run in CI, and color and the spinner turn themselves off instead of littering logs with escape codes.

# One verdict across package check + content scan, framed and color-coded
aguara audit .

# List every content finding instead of the top 10
aguara audit . --verbose

# Piping no longer emits ANSI noise; NO_COLOR now covers every command
aguara scan . | less
NO_COLOR=1 aguara explain SUPPLY_001

# Grouped help with copy-paste examples
aguara --help

What's inside

  • Shared terminal style layer: scan, check, audit, explain, and clean use one style layer instead of hand-rolled ANSI codes. audit opens with a framed header, lists findings in aligned columns under PACKAGE CHECK and CONTENT SCAN sections, and closes with a framed verdict - green PASS, yellow FINDINGS, red FAIL. scan and audit end with a Next: aguara explain <rule> hint for the most severe finding.
  • Terminal detection done right: color and the spinner disable themselves when stdout is not an interactive terminal, when --output writes to a file, or when NO_COLOR is set. Separators and the spinner size themselves to the real terminal width. The FINDINGS verdict renders yellow instead of green: exit code 0 with unresolved findings is not a clean pass, and the color now says so.
  • Native fuzz harness: 22 Go fuzz targets cover every parser that touches attacker-controlled files - the ten lockfile parsers behind aguara check, the pattern engine with its NFKC normalization and 8-decoder rescan, the markdown/JSON/YAML NLP extractor, the JS/Python/Rust scanners, the policy analyzers, and the custom-rule loader. Each target asserts the parser never panics. Seed corpora run inside make test, a nightly workflow fuzzes every target and uploads any crasher as a reproducible artifact, and make fuzz runs the same loop locally. Initial shakeout: ~37M executions, zero crashes.

JSON, SARIF, and markdown outputs are unchanged - only the human-facing terminal output evolved.

Install or upgrade

# Homebrew
brew install garagon/tap/aguara && brew upgrade aguara

# Install script (signed, checksum-verified)
curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | VERSION=v0.27.0 sh

# Docker (multi-arch, signed, SBOM + SLSA provenance)
docker run --rm -v "$PWD:/repo:ro" ghcr.io/garagon/aguara:0.27.0 check /repo

Compatibility

  • No flag removals. audit gains --verbose; --no-color keeps working as the explicit override.
  • Rule IDs, severities, and the JSON Severity encoding are unchanged. 250 cataloged detections.
  • JSON, SARIF, and markdown formatter contracts are unchanged.

Verify this release

cosign verify-blob \
  --certificate-identity-regexp 'github.com/garagon/aguara' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate checksums.txt.pem --signature checksums.txt.sig checksums.txt

cosign verify ghcr.io/garagon/aguara@sha256:93cd378ebcd488b12e80375370b7d0e8f25a29315c49cc73bd8ddb9ef6bc0f86 \
  --certificate-identity-regexp 'github.com/garagon/aguara' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com
Full changelog

See CHANGELOG.md for the complete entry, including the dependency and GitHub Actions updates.

Assets 16
Loading