Skip to content

Releases: qingxuantang/tar-engine

v0.3.0 — SARIF output + external tool wrappers + --strict mode

Choose a tag to compare

@qingxuantang qingxuantang released this 16 Jun 01:43
0de383e

Adds SARIF 2.1.0 output for GitHub Security tab integration, optional wrappers around shellcheck / semgrep / trufflehog / gitleaks, a --strict severity gate, and a check-tools discovery subcommand. Zero overlap with v0.2.0's ergonomic surface.

What's new

SARIF output (--format sarif)

  • Emits SARIF 2.1.0 consumable by github/codeql-action/upload-sarif@v2
  • Auto-builds rules registry from unique rule_ids
  • invocations[] carries commandLine + exitCode for reproducibility

External scanner orchestration

Plugin Scanner protocol with 4 wrappers (each auto-skips if the tool isn't installed):

  • shellcheck — bash / sh static analysis
  • semgrep — multi-language code security (community rules via --config=auto)
  • trufflehog — verified-secret detection
  • gitleaks — fallback secret scanner

Findings normalize into the tar-engine schema with scanner field for provenance attribution.

CLI extensions

  • --format pretty|json|sarif (--json kept as alias)
  • --output FILE for JSON / SARIF output files
  • --strict — exit 1 on any warning+ severity finding (complements --min-score)
  • --no-external-scanners — opt out of optional tool integration
  • check-tools subcommand — shows availability + version + install hint for all 4 external scanners

Pretty output

  • Per-skill "Scanners:" status line
  • Summary surfaces skipped scanners as install suggestions pointing at check-tools

CI integration example

- name: Audit AI skills
  run: |
    pipx install tar-engine-mcp
    tar-engine scan ./skills --min-score 70 --format sarif -o results.sarif

- name: Upload SARIF to GitHub Security
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: results.sarif

Install

claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.3.0" tar-engine-mcp

Backwards compatibility

  • --json still works as an alias for --format json
  • Existing v0.2.0 invocations behave identically — external scanners default-on but graceful-skip when absent
  • All MCP server entries unchanged

v0.2.0 — tar-engine scan CLI, multi-format discovery, quality lint rules

Choose a tag to compare

@qingxuantang qingxuantang released this 16 Jun 01:41

New tar-engine scan CLI for CI usage. Drop into GitHub Actions / pre-commit hooks to audit AI skill safety before you ship.

What's new

CLI (new tar-engine console script)

  • scan <path> and list <path> subcommands
  • 5-format discovery: SKILL.md, .claude/commands/*.md, skill.yaml, manifest.json, opencode.json
  • Side-file scan: bundles .sh / .py / .js / .ts / .yaml / .json helpers in the skill directory into the audit payload (200 KB cap). Catches the "SKILL.md clean but install.sh malicious" pattern.
  • Flags: --min-score N, --json, --concurrency, --lang en|zh, -v
  • Exit codes: 0 clean, 1 below threshold, 2 usage error

Engine

  • 2 new informational quality lint rules:
    • QL-001 shell-no-error-handling
    • QL-002 unpinned-install
  • New quality category in score breakdown
  • RULE_SET_VERSION bumped to 1.1.0

Install

claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.2.0" tar-engine-mcp

Backwards compatibility

  • tar-engine-mcp MCP server entry unchanged
  • New tar-engine binary is additive

Deferred

  • QL-003 broken_anchor_link — naive regex false-positives on every valid anchor link, needs check_document cross-reference hook. Tracked as a follow-up.