v1.3.0 β CLI tools, CI/CD suite, 11 languages, security hardening
What's new in v1.3.0
New CLI Features
--explain [category]β Offline knowledge base: 38 categories with why-it-matters, how-to-fix, and code examples--file <path>β Per-file drill-down: scan one file and show only its findings (great for pre-commit)--breakdownβ Score breakdown by category: see exactly which categories are costing the most points--perfβ Scanner timing: bar chart showing how long each scanner group took--output-dir <path>β Save all 5 report formats (JSON/HTML/SARIF/JUnit/Markdown) in one command--since-commit <sha>β Diff mode: only show findings for files changed since a git ref--exit-codesβ Meaningful exit codes: 2=threshold, 3=regression, 4=trend, 5=security, 6=license--notify <url>β Slack/Teams/Discord webhook notifications with platform-native formatting--update-readmeβ Auto-update health badge in README.md after every scan--fail-on-trendβ Smarter CI gating: only fail when score drops 3+ consecutive runs (with sparkline)--bundleβ Bundle size regression detection vs last recorded baseline--monorepoβ Scan each workspace package separately with per-package scores and rollup--initβ Interactive wizard to generate.roastrc.json--serveβ Live web dashboard with SSE auto-refresh on file changes
New Scanners
- License compliance β Flag GPL/AGPL/LGPL deps in commercial projects
- Database queries β Prisma/TypeORM/Sequelize/Mongoose anti-patterns (N+1, raw SQL, force:true)
- Config auditor β tsconfig.json strictness, ESLint coverage, Prettier configuration
- Test quality β Empty blocks,
.only, always-true assertions, skipped tests, hardcoded delays - Bundle size β Track dist/ output size over time, alert on regressions
- Custom Rule DSL β Define lint rules in
.roastrc.jsonwithout writing TypeScript
4 New Languages (11 total)
Ruby, PHP, Swift, Kotlin β each with 3 scanners
GitHub Actions
- Step Summary β Auto-writes markdown report to the Actions run page (zero config)
- SARIF output β Findings appear as native Code Scanning alerts
Performance
- 3-5x faster β All core scanners run with
Promise.all - Finding deduplication β Near-identical findings merged automatically
Roast Improvements
- 100+ new roast entries, expanded to 8-12 per category
- Combo roast when 4+ critical categories fire simultaneously
- Contextual opening line based on score + finding count
- Severity-aware large-file roasts
generateContextualVerdictβ smarter verdicts for security/critical/test issues
Security Fixes
--filepath traversal protection- Custom rules ReDoS protection
--perf/--breakdownno longer corrupt JSON/SARIF stdout--thresholdnow works without--json- ESLint
extendsstring detection fixed - SPDX OR license expressions correctly parsed
Full changelog
See commit history