Skip to content

v0.16.0

Choose a tag to compare

View all tags
@qwexvf qwexvf released this 12 May 09:13
· 121 commits to main since this release
v0.16.0
339a75a
This commit was signed with the committer’s verified signature.
qwexvf Maruchan
GPG key ID: 50AA29109D975AE8
Verified
Learn about vigilant mode.

What's New

Ecosystem Parser Pipeline

Refactored heuristics to a two-stage pipeline (EcosystemParser → NormalizedPackage → []Check). Adding a new ecosystem now requires only one new parser file — no check files change.

New parsers (9 ecosystems now covered):

  • Go — go.mod replace directives
  • Maven — exec-maven-plugin hooks, <systemPath> local deps
  • Composer — repositories[type=vcs], install scripts
  • NuGet — custom feeds, <HintPath> local refs
  • Gleam — gleam.toml git deps

GitHub Actions Scanner

  • WorkflowCheck pipeline — same extensible pattern as package heuristics
  • Remote scanningaegis actions scan --repo owner/repo via GitHub Contents API
  • Allowlist.aegis-actions-allowlist.yaml to suppress findings per-file or globally
  • SARIF 2.1.0 output--sarif flag; compatible with GitHub Code Scanning upload-sarif action
  • New detections: OIDC + npm publish worm vector (Mini Shai-Hulud), actions/cache poisoning in pull_request_target

New Detections

  • CapVCSDependency — VCS URL dependencies across PyPI, Cargo, RubyGems, Go, Composer, Gleam
  • FindingOIDCNpmPublishid-token:write + npm publish (Mini Shai-Hulud 2026-05-11 worm vector)
  • FindingCachePoisoningactions/cache inside pull_request_target

Clean Architecture

  • domain.PackageSource moved from usecase to domain; type alias in usecase for backward compatibility

Security Fixes

  • HTTP client timeout (30s) for remote scans — prevents slowloris hangs
  • GitHub owner/repo input validation — prevents URL manipulation
  • ANSI escape stripping from Evidence output — prevents terminal injection
  • context.Context passed as function parameter, not stored in struct
Assets 12
Loading