Adds SARIF 2.1.0 output for GitHub Security tab integration, optional wrappers around shellcheck / semgrep / trufflehog / gitleaks, a --strict severity gate, and a check-tools discovery subcommand. Zero overlap with v0.2.0's ergonomic surface.
What's new
SARIF output (--format sarif)
- Emits SARIF 2.1.0 consumable by
github/codeql-action/upload-sarif@v2 - Auto-builds rules registry from unique rule_ids
invocations[]carries commandLine + exitCode for reproducibility
External scanner orchestration
Plugin Scanner protocol with 4 wrappers (each auto-skips if the tool isn't installed):
shellcheck— bash / sh static analysissemgrep— multi-language code security (community rules via--config=auto)trufflehog— verified-secret detectiongitleaks— fallback secret scanner
Findings normalize into the tar-engine schema with scanner field for provenance attribution.
CLI extensions
--format pretty|json|sarif(--jsonkept as alias)--output FILEfor JSON / SARIF output files--strict— exit 1 on any warning+ severity finding (complements--min-score)--no-external-scanners— opt out of optional tool integrationcheck-toolssubcommand — shows availability + version + install hint for all 4 external scanners
Pretty output
- Per-skill "Scanners:" status line
- Summary surfaces skipped scanners as install suggestions pointing at
check-tools
CI integration example
- name: Audit AI skills
run: |
pipx install tar-engine-mcp
tar-engine scan ./skills --min-score 70 --format sarif -o results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifInstall
claude mcp add tar-engine -- uvx --from "git+https://github.com/qingxuantang/tar-engine@v0.3.0" tar-engine-mcp
Backwards compatibility
--jsonstill works as an alias for--format json- Existing v0.2.0 invocations behave identically — external scanners default-on but graceful-skip when absent
- All MCP server entries unchanged