Releases: qingxuantang/tar-engine
Releases · qingxuantang/tar-engine
Release list
v0.3.0 — SARIF output + external tool wrappers + --strict mode
Adds SARIF 2.1.0 output for GitHub Security tab integration, optional wrappers around shellcheck / semgrep / trufflehog / gitleaks, a --strict severity gate, and a check-tools discovery subcommand. Zero overlap with v0.2.0's ergonomic surface.
What's new
SARIF output (--format sarif)
- Emits SARIF 2.1.0 consumable by
github/codeql-action/upload-sarif@v2 - Auto-builds rules registry from unique rule_ids
invocations[]carries commandLine + exitCode for reproducibility
External scanner orchestration
Plugin Scanner protocol with 4 wrappers (each auto-skips if the tool isn't installed):
shellcheck— bash / sh static analysissemgrep— multi-language code security (community rules via--config=auto)trufflehog— verified-secret detectiongitleaks— fallback secret scanner
Findings normalize into the tar-engine schema with scanner field for provenance attribution.
CLI extensions
--format pretty|json|sarif(--jsonkept as alias)--output FILEfor JSON / SARIF output files--strict— exit 1 on any warning+ severity finding (complements--min-score)--no-external-scanners— opt out of optional tool integrationcheck-toolssubcommand — shows availability + version + install hint for all 4 external scanners
Pretty output
- Per-skill "Scanners:" status line
- Summary surfaces skipped scanners as install suggestions pointing at
check-tools
CI integration example
- name: Audit AI skills
run: |
pipx install tar-engine-mcp
tar-engine scan ./skills --min-score 70 --format sarif -o results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifInstall
claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.3.0" tar-engine-mcp
Backwards compatibility
--jsonstill works as an alias for--format json- Existing v0.2.0 invocations behave identically — external scanners default-on but graceful-skip when absent
- All MCP server entries unchanged
v0.2.0 — tar-engine scan CLI, multi-format discovery, quality lint rules
New tar-engine scan CLI for CI usage. Drop into GitHub Actions / pre-commit hooks to audit AI skill safety before you ship.
What's new
CLI (new tar-engine console script)
scan <path>andlist <path>subcommands- 5-format discovery:
SKILL.md,.claude/commands/*.md,skill.yaml,manifest.json,opencode.json - Side-file scan: bundles
.sh / .py / .js / .ts / .yaml / .jsonhelpers in the skill directory into the audit payload (200 KB cap). Catches the "SKILL.md clean but install.sh malicious" pattern. - Flags:
--min-score N,--json,--concurrency,--lang en|zh,-v - Exit codes:
0clean,1below threshold,2usage error
Engine
- 2 new informational quality lint rules:
QL-001shell-no-error-handlingQL-002unpinned-install
- New
qualitycategory in score breakdown - RULE_SET_VERSION bumped to 1.1.0
Install
claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.2.0" tar-engine-mcp
Backwards compatibility
tar-engine-mcpMCP server entry unchanged- New
tar-enginebinary is additive
Deferred
QL-003 broken_anchor_link— naive regex false-positives on every valid anchor link, needscheck_documentcross-reference hook. Tracked as a follow-up.