Skip to content

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

1.1.0 (2026-05-17)

Features

Bug Fixes

  • cache: distinguish "not cached" from "empty mount" in cache info (#168-M) (d13e592), closes #168-M
  • clamav: drop clamav from CACHE_MOUNTS, refine cache-info note (#168-N, #168-M) (180c72c), closes #168-N #168-M
  • clamav: redirect freshclam db to /tmp so it can write (#168-N) (05366bc), closes #168-N #168-M
  • classify: exit non-zero when git diff itself fails (#168-J) (811daa2), closes #168-J
  • cli: correct surface inconsistencies and silence --quiet (issue #168-D) (d7408b6), closes #168-D
  • collect: skip per-run timestamp dirs and the latest symlink (#168-L) (e2aa06b), closes #168-L
  • docsite: TUI screenshots, nav titles + grouping, orphan pages, regen on bump (#167) (ce1d580)
  • engine: cache permanent pull failures so inline retry skips (#168-H followup) (67e1025), closes #168-H
  • engine: categorize container-pull failures, skip retry on permanent errors (2d199ce)
  • lint-terraform: per-phase PhaseResult, fail loudly when a phase can't run (#169) (c2ae9b3)
  • mcp: advertise argus version on initialize (#168-O) (40e6ddd), closes #168-O
  • release: derive schema version from version, widen bumper rules for docs (2719900), closes #168-A #167-3 #168 #167
  • reporters: de-dup GitLab CC descriptions, JUnit type uses rule id (#168-G) (b76cbd9), closes #168-G #168-G
  • reporters: fall back to built-in modules without entry-points (#172) (5c9cc6b)
  • report: follow argus-results/latest symlink when -r not specified (#168-K) (d6486de), closes #168-K
  • reporting: emit Info row in markdown + --output-vars, sync validator with registry (51757d8), closes #168-E #168-F
  • scanners: container surfaces partial-failure when no source configured (#170) (9605356), closes #169
  • scanners: precondition errors don't trigger fallback dance (#168-I) (d834c9a), closes #168-I #168-I
  • security: flip keep_raw default off, exclude argus-results from scans (92edff5), closes #168
  • view: add --path flag as argparse-safe escape hatch (#168-D5) (512f954), closes #168-D5

Dependencies

  • deps: bump the npm-major group across 1 directory with 4 updates (bb14329)
  • deps: bump the pip-all group with 2 updates (312233b)

Tests

  • cover partial-failure paths in models, reporters, and lint-terraform (f902e83), closes #173

Continuous Integration

  • gate push-main workflows against chore(release): commits (84bcbd4)

1.0.1 (2026-05-16)

Bug Fixes

  • release: tighten containers.py regex-bumper, repair 1.0.0 corruption (dae65f0)

1.0.0 (2026-05-16)

⚠ BREAKING CHANGES

  • release: cosign verification command for Argus-owned images must use --certificate-identity-regexp matching .github/workflows/release.yml@ rather than publish-release.yml@ for 1.0.0+ images. The argus SDK's built-in verifier is updated in lock-step. External scripts running cosign verify directly must update their regex. 0.7.x images remain verifiable with the old regex.
  • ci: Remove 22 workflows replaced by argus Python SDK.

Removed 15 scanner-*.yml thin wrappers, 6 compound orchestrators (reusable-security-hardening, container-scan, dependency-scan, infrastructure-scan, linting, container-scan-from-config), and security-reusable-demo.

Refactored test-reusable-workflows.yml into argus SDK integration test.

Removed 5 example workflows that referenced deleted workflows. Updated all documentation (README, QUICK-START, AGENTS, docs/, .ai/ files) to position the SDK as primary interface with composite actions as secondary for GitHub Actions users.

Updated docsite.yml, zizmor.yml, bug report template, and agent skills to reflect the new architecture.

Features

  • audit: defensive redaction pass on log + manifest writes (#148) (6dc1ba3), closes #5
  • browse: interactive findings TUI + shared findings_view module (#96) (1672957)
  • ci: add dogfood security scan workflow using argus SDK (48221d0)
  • ci: add PR comment with aggregated container scan results (f2c2bdc)
  • ci: add Python version matrix and version ref check to CI (7d3eacd)
  • ci: enable multi-arch container builds (amd64 + arm64) (314b2cf)
  • ci: restore all reusable workflows powered by argus CLI (46bb2f9)
  • ci: rich container scan PR comment with severity breakdown (be3ff25)
  • ci: unique dev versions for TestPyPI publishing (293b6d7), closes #88
  • ci: validate audit trail artifacts in PR pipeline (df09432)
  • ci: validate built wheel with PR containers in build-containers (0c6c246)
  • cli: --registry-password-stdin and --zap-auth-password-stdin (#145) (8e51955), closes #2
  • cli: add --output-vars for machine-readable CI output (68fb7d6)
  • cli: add scan spinner and verbose logger handling (7c14f42)
  • cli: add shell completion scripts and bin/argus entry point (e183eae)
  • cli: add shell tab completion via argcomplete (8e3a8d7)
  • cli: background update check with pip-style notice (#124) (3ccf528)
  • cli: dynamic completion via argus completion subcommand (9479d17)
  • cli: surface missing tools after init and scan (#92) (0638f8e)
  • containers: mutually exclusive image vs dockerfile, per-target cleanup, IDE schema hint (#121) (519afe0)
  • deps: add Renovate config for container images and tool versions (dfeeb7c)
  • docker: harden containers, add build/scan CI, container-first engine (483870c)
  • engine: add --exclude flag and auto-respect ignore files (c788fce)
  • engine: add --fail-fast, --timeout, and improved --list (23912c3)
  • engine: add scanner DB cache volume mounts for container runs (7059af6)
  • engine: image pre-warming + lazy pulls (#139) (efcce9f)
  • engine: parallel scanner execution via thread pool (18676bb)
  • engine: per-scanner timing in audit trail and performance TODOs (ead6e1d)
  • engine: support Docker, Podman, and nerdctl container runtimes (c97e81c)
  • engine: tool version enforcement for supply chain integrity (5fea42a)
  • MCP tests, SCN schema port, skill refactor, and roadmap cleanup (0350c3f)
  • mcp: add MCP server for AI assistant integration (8412ec8)
  • mcp: add unified security_review tool and cache freshness signals (#102) (888a66e)
  • mcp: mature MCP server with 8 tools, 3 resources, 3 prompts (d927c82)
  • models: add from_dict() and integration tests for argus report (21f3dd1)
  • multi-arch Dockerfiles, auto-detect config, and ARM64 support (da1e224)
  • preflight: add CI preflight checks with living issue reporting (fde3b97)
  • pypi: hardened pyproject.toml, publish workflow, and safety check (9359b0f)
  • redact: pattern-based second-pass safety net at Finding construction (#138) (febe4d5)
  • reporters: add github, gitlab, and junit reporters (#130) (4826be4), closes #205
  • reporters: Info column in summary + hook exit propagation (#158) (1727b87)
  • reporters: plugin registration via Python entry-points (#140) (5432155)
  • scan-container: support config-driven and manifest-file targets (#112) (f4e39fd)
  • scan: accept a directory of SBOMs on --sbom (6f57629)
  • scan: emit canonical argus-results.json + persist raw scanner output (source + container) (#116) (8d184d6), closes #111
  • scanner-container: exposed-port surface as new sub-scanner (#149) (7837c6e)
  • scan: support pre-built SBOM input via --sbom (#94) (6e02525)
  • scn: port tests to argus/tests/scn/ and thin action wrapper (572c895)
  • sdk: add 6 linter modules — yaml, json, python, javascript, dockerfile, terraform (7568ae4)
  • sdk: add argus collect command for multi-job log aggregation (43cdbd4)
  • sdk: add argus container subcommand for container image scanning (635ad1d)
  • sdk: add argus core SDK with models, config, and engine (3396a06)
  • sdk: add argus init, JSON schema, and sync skill file (97ab23c)
  • sdk: add ASCII art banner to argus init (1d7dfe0)
  • sdk: add audit module for structured logging and evidence trail (3b76e93)
  • sdk: add comprehensive logging throughout the engine (2245536)
  • sdk: add config schema validation with argus validate command (0102f3f)
  • sdk: add DAST lifecycle with auto port discovery from images (3ee0123)
  • sdk: add Docker execution backend with container image registry (c10ec32)
  • sdk: add Dockerfiles and Dependabot config for container images (fa48d7d)
  • sdk: add reporters for terminal, markdown, SARIF, and JSON output (0ac3b7d)
  • sdk: add resource management to container engine (eb11281)
  • sdk: add scanner-specific help for argus scan --help (23630e9)
  • sdk: fix CLI help UX and add auto-generated CLI docs (ba4527e)
  • sdk: improve validate with scanner breakdown, --check-tools, and --strict (b2ac8f7)
  • sdk: interactive architecture map — one transformer, three consumers (#163) (95c5f73), closes #arch-data #39 #39
  • sdk: log container image SHA256 digests for supply chain forensics (36ac8b9)
  • sdk: port all 10 scanner modules to argus SDK (dbb4dd0)
  • sdk: port SCN detector to argus classify subcommand (1370ca5)
  • sdk: refactor init banner to external file, add scroll effect and easter egg (b9e4ac5)
  • sdk: remote registry scanning without pulling images (702de1b)
  • sdk: thin wrapper PoC, CLI docs gate, and scripts restructure (b13ce49)
  • sdk: timestamped run directories preserve scan history (7bdaa9e)
  • sdk: truecolor ASCII art banner for argus init (738696c)
  • secrets: credential resolver + zap config-passthrough wiring (#142) (b2266bf)
  • serve: SDK-hosted localhost web UI — argus serve (#97) (b030717), closes #findings-target #0b0f0d #111916 #16211c #84b852 #dbe64c #eaf2ea #9fb09f #1f2a22 #0b0f0d #0b0f0d
  • supply-chain: cosign-verify argus images + security policy doc (#146) (864c162)
  • view-browser: add /log scan-log viewer with level + search filters (#107) (c68a1c9)
  • view-terminal: mouse-first interactivity — clickable everything (#162) (d3fdc2a), closes #159 #161
  • view-terminal: multi-select for batch export and clipboard (#131) (87a46c1), closes #293
  • view-terminal: scan-over-scan diff overlay (D keybind) (#132) (db07a1e)
  • view: config-aware remediation + always-emit canonical argus-results.json (#111) (2a33913)

Bug Fixes

  • actions: container format flag, checkov tuple parse, zap flag name (c2142a2)
  • actions: rename misleading 'Install Argus SDK' step to 'Install dependencies' (54a6430)
  • actions: use repeated --format flag (argparse append mode) (f2ff3e3)
  • CI failures — lazy requests import, example paths, Docker E2E test (f5829ae)
  • ci: add mcp dependency to requirements.txt and guard test imports (a1dba86)
  • ci: add packages:read to test-actions and build-containers (ce6f339)
  • ci: add SDK schema path to release-it version bumper (93e6de3)
  • ci: build custom images before scanning, remove || true masks (9a2152f)
  • ci: correct pypa/gh-action-pypi-publish SHA to v1.9.0 (e131abb)
  • ci: fix container scan PR comment showing identical collapsed titles (1c170da)
  • ci: install all enabled scanner tools in dogfood workflow (9e874d0)
  • ci: install argus in the docs workflow so the architecture page renders (af9b57a), closes #163
  • ci: move PyPI publish to release.yml protected environment (6d5931c)
  • ci: remove continue-on-error from test-actions scanner jobs (dc42607)
  • ci: separate security findings from test fixture noise in PR comment (a81d32c)
  • ci: update CLI test job for timestamped run directories (16bd55d)
  • ci: update pypa/gh-action-pypi-publish to v1.14.0 (228cc2a)
  • ci: use commit SHA for pypa/gh-action-pypi-publish (not tag SHA) (37d1804)
  • ci: use run_number for unique TestPyPI dev versions (8563aa7)
  • cli: add explicit compdef for zsh completion when sourced directly (e2e83a4)
  • cli: context-aware zsh completion per scanner type (1ccdfd9)
  • cli: fix argus classify method name and markdown report generation (ec50f0f)
  • cli: rewrite zsh completion with proper state machine pattern (d06adb0)
  • cli: suppress zsh completion warning on eval (ce64d5f)
  • container-scanner: handle empty/malformed grype output without traceback (#114) (8be445d)
  • container: apply Docker fallback to actual CLI code path (cc0e892)
  • container: handle Grype source-scheme prefix collisions in image refs (#115) (d7c94dc)
  • container: mount docker.sock for local images, surface scan failures (4099890)
  • container: parse_container_config accepts unwrapped inner-mapping shape (#113) (267e4be)
  • container: pre-warm scanner DBs and update image pins (33307eb)
  • container: surface dockerfile in artifacts and write argus-audit.json (#123) (18f5d03)
  • container: wire exposure + services into the scan-container CLI path (b1961ce)
  • dast: support URL-based targets in DastEngine (31e5cf0)
  • deps: add 7-day stabilization delay and cover all Dockerfile tool versions (3a822f9)
  • dev: improve local/devcontainer setup (a8ea1fd)
  • docker: patch Alpine OS-level vulnerabilities in all images (0ead1b3)
  • docker: update tool versions and drop checkov from CLI image (d9a01ca)
  • docs: remove hardcoded workflow nav from docsite builder (80fd2e6)
  • dogfood scan now actually scans what we ship (#106) (a3ad04a)
  • engine: auto backend falls back to local when container pull fails (fbe3c94)
  • engine: defer to scanner.scan when build_args is missing (#120) (ff69b42)
  • engine: make container /output dir writable for non-root scanner users (#110) (79def1a)
  • engine: pass credentials by name, not value, on docker run (#144) (37e433d), closes #1
  • engine: surface scanner exceptions as failure rows in canonical results (#119) (927e572)
  • engine: treat severity_threshold 'none' as no threshold (486a784)
  • examples: drop unsupported inputs from scanner-zap / -container / -gitleaks usages (#134) (7cfb89b)
  • examples: remove duplicate workflow, fix stale refs and README (1bd9bca)
  • mcp: print startup banner to stderr so the server isn't silent (#99) (9613810)
  • publish: update dev versioning to ensure monotonic order for TestPyPI releases (8c759a3)
  • pypi: correct documentation URL to GitHub Pages docsite (a21f2d5)
  • pypi: sync pyproject.toml with website and correct license (ad5bd83)
  • release: add package.json to release-it version bumper (6b41048)
  • release: drop redundant package.json regex-bumper rule (afecbbd)
  • release: install [all] extras so dry-run pytest can collect (4576d21)
  • sbom: osv-scanner v2 compatibility and scanner robustness (#95) (31c514d)
  • sbom: surface scanner failures, SPDX-2.1 and purl-coverage warnings (2842544)
  • scan: make --sbom directory batches resilient to per-file failures (e48b88a)
  • scanners: auto-discover tool configs; make exclude merge correct (#93) (7e3ad77)
  • scanners: correct execution-failure signaling and OSV container entrypoint (#125) (651c10b)
  • scanners: document and fix 4 known scanner quirks (111327c)
  • scanners: pin OSV-Scanner to v2.3.5 and add image alias mapping (7b8ae7d)
  • scanners: pre-pull Docker images and add container fallback (e9db64e)
  • scn: 6 classifier improvements from live testing (91d22ce)
  • sdk: add universal post-scan exclude filter in engine (0d7a83f)
  • sdk: derive container_args from config, not hardcoded values (86db23c)
  • sdk: exclude active log file from audit manifest hash inventory (089d7bd)
  • sdk: fix --list flag using wrong attribute name in CLI (6a5fd57)
  • sdk: remove hard disk floor, try scans and handle failures (a54b081)
  • sdk: sync version with version.yaml and add to release-it (ee48bb4)
  • sdk: validate scanner name with fuzzy 'did you mean?' suggestions (3084f68)
  • security: redact secret values at the scanner parser (#101) (1324b7d)
  • test-fixtures: bump flask/werkzeug floor past known-CVE versions (#160) (f893517)
  • validate: catch typos in containers config and close self-scan UX gaps (#118) (0bf1a26)
  • view-browser: actually elevate header above main for dropdown overlay (#108) (b6a7861), closes #105
  • view-browser: elevate header so Recent runs dropdown overlays main content (#105) (3144137)

Dependencies

  • deps: bump scanner tool versions to current latest stable (#104) (fdd43e6)

Maintenance

  • .ai: add commands to build local scanner images and update quick reference (3da0a07)
  • actions: delete dead scripts and tests from container and zap (bd3fc12)
  • actions: delete dead scripts and tests from refactored scanners (9596469)
  • engine: improve pull progress messaging and close roadmap items (705ca60)
  • release: Phase 4 release-blocker cleanup (#153) (c58fcd3)
  • supply-chain: pin Dockerfile FROMs, migrate to pnpm, raise Python dep floors (#161) (3ff9155), closes #151
  • supply-chain: pin every OFFICIAL_IMAGE to a @sha256: digest (#151) (a97643e)

Documentation

  • add argus.yml configuration reference (ac9af33)
  • add linter registration to CLAUDE.md, CONTRIBUTING.md, and AICaC (cc60fd6)
  • add portability research and ADR-013 for cross-platform architecture (1774613)
  • add PyPI README, MCP docs, and AI context updates (39e40d5)
  • adr-021: formalize SDK-vs-composite-action boundary; close roadmap #206 (#137) (317cbfe)
  • adr-024: decide scanner-zap config-passthrough; minimal action surface (#141) (2a29eac)
  • adr-025: split OS-image scope — services sub-scanner in, VM-image out (#157) (8002741)
  • ai: refresh .ai/ context for SDK-first reality (fa22779), closes #111
  • audit pass on README, scanners.md, and .ai/architecture.yaml (#155) (7cbd5ea)
  • cli: clarify 'argus completion' help with reload step and Tab examples (29e77b4)
  • close scanner-container scan_mode + gitleaks notify_users decisions (#156) (12151c4)
  • developer: add TestPyPI validation guide with Claude prompt (b3a7f65)
  • developer: document container image build and release lifecycle (a4a293e)
  • docsite: SDK-first nav + CI peer integrations + completion setup (#150) (8b8269d)
  • docsite: version-aware GITHUB_BLOB ref instead of hardcoded main (#152) (922c1c8), closes #150
  • examples: add SDK-based CI examples for 4 platforms (7cd131f)
  • mcp: per-client config + uvx zero-install + registry tracker (#100) (66f849a)
  • migration guide, CI integration pattern, and cleanup verification (27f3cc6)
  • pypi: add cover image to PyPI README via raw.githubusercontent.com (bf0986b)
  • roadmap: add build & dependency hygiene follow-ups (1c42c88)
  • roadmap: capture secret-handling audit + hardening PR queue (#143) (cd0b13f), closes #142
  • roadmap: close shipped scanner-zap config-passthrough items (52a18ce), closes #142
  • roadmap: consolidate completed work, highlight 11 remaining items (697e5db)
  • roadmap: mark 6 completed items, remove duplicate entry (2f0ed9e)
  • roadmap: mark shipped items as complete (e4aa95d)
  • roadmap: track container port exposure + OS-image research item (#147) (41305e9)
  • roadmap: track DAST + container scanner regressions vs 0.6.8 (#135) (12fc7cc)
  • roadmap: trim the SDK migration log for merge to main (0463977)
  • sdk: add MCP server phase, CI config health to roadmap, ADR-015 (d837b29)
  • sdk: add performance research items to roadmap (7b9a355)
  • sdk: add Phase 3 Docker execution backend design and ADR-014 (6ec7779)
  • sdk: add post-PyPI cleanup items to roadmap (5503570)
  • sdk: add SCN classifier improvement items to roadmap (83d84c6)
  • sdk: add SDK roadmap tracking remaining Phase 3-4 work (a95e979)
  • sdk: add testing strategy with ref lifecycle and argus-test plan (0e9cb3a), closes #29
  • sdk: add TestPyPI flag removal to post-release checklist (1e6b7a1)
  • sdk: mark --exclude and report tests as complete on roadmap (0395466)
  • sdk: mark 10 more items complete on roadmap (d9269d6)
  • sdk: mark SCN detector port as complete on roadmap (84f6843)
  • sdk: mark SDK docs as complete — covered by existing auto-generated references (916022d)
  • sdk: reframe Phase 5 as agentic substrate (CLI + MCP + skill) (0c3a69f)
  • sdk: scope SCN detector port as argus classify subcommand (e5b679e)
  • sdk: sync roadmap with all completed and remaining work (8e8598a)
  • sdk: update roadmap — 8 of 10 scanner wrappers complete (1be8d98)
  • sdk: update roadmap — PyPI publishing and container publishing complete (eb0aa61)
  • sdk: update roadmap with linter module and wrapper completion (4a5f055)
  • sdk: update roadmap with Phase 3 progress and completed items (1ac7e41)
  • sdk: update roadmap with thin wrapper rollout progress (5897543)
  • troubleshooting: add docker troubleshooting guide (#129) (9373f35), closes #125 #125 #623
  • update CLAUDE.md and CONTRIBUTING.md for SDK-first architecture (5a64bbe)
  • update install instructions for pip install argus-security (04e01b7)
  • view-terminal: SVG screenshot pass + self-contained capture pipeline (#159) (a64d841)
  • zap: deprecation note in action.yml + 0.6.x → 1.x migration guide (#154) (c365d16), closes #136

Code Refactoring

  • actions: remove manual tool installs — SDK auto-sources via Docker (f9f8435)
  • actions: thin wrapper for all 6 linter actions (c47b89a)
  • actions: thin wrapper for container and zap — all 10 scanners complete (e6f2e95)
  • actions: thin wrapper rollout for gitleaks, osv, checkov (4bd6536)
  • actions: thin wrapper rollout for opengrep, clamav, trivy-iac, supply-chain (6e539ed)
  • ci: consolidate container build/scan/test into one workflow (0417453)
  • ci: remove deprecated scanner wrapper and orchestrator workflows (1a0cb24)
  • ci: remove manual tool installs from workflows (372a340)
  • ci: split release and publish into tag-triggered workflow (afcc37c)
  • ci: use argus reporter and comment-pr action for container scans (a840c69)
  • cli: unify browse/serve into a single argus view command (#103) (b969cd2)
  • deps: convert renovate.json to renovate.yaml (2207201)
  • init: drop --platform, enhance detection, add linter support (bb27c1f)
  • linters: FileDiscoveryScanner template + shared docker-fallback helper (#133) (b83585d)
  • linting-summary: apply silent-failure audit (status table + gating) (#128) (eb3c751), closes #91
  • scanners: unify tool_version + scan + build_args into a single SDK pattern (#117) (4f03e7b)
  • sdk: auto-discover config and simplify all action wrappers (d597dd6)
  • sdk: collapse container into argus scan container (ca296a3)
  • wrappers: close silent-failure paths in reusable-security-hardening (#91) (35e993c)
  • wrappers: install-from-source pattern, bin/argus removal, ADR-019 + CI guard (#126) (2c5c8b4), closes #201 #125

Tests

  • add E2E tests, module routing tests, and image manifest CI check (51a44a8)
  • add pytest tests for version refs, action schemas, and security summary (456b7fb)
  • close testing gaps — Docker E2E, container dedup, --version (3639040)
  • engine: add 33 tests for exclusion system (21bb376)
  • engine: add tests for fail-fast, timeout, and severity 'none' fix (3a39dfc)
  • fix E2E tests and exclude @slow from default pytest run (b9167da)
  • sdk: add 134 tests for container, DAST, CLI, and scanner coverage (9c1224a)
  • sdk: add comprehensive test suite and update project config (cd8d18f)
  • sdk: add integration tests for CLI, engine Docker paths, and supply chain config (1454a09)
  • sdk: add tests for Docker execution backend and container registry (55d1f07)

Continuous Integration

  • audit example with-keys against current action.yml input contracts (#136) (106bfbd), closes #134
  • ghcr: nightly cleanup of non-semver tags (4614ad4)
  • release: build-once-promote-everywhere release pipeline (6f2e111)
  • shared argus_smoke.sh helper retries the GHA Python 3.13 SIGSEGV flake everywhere (#127) (849b6df), closes #125 #126
  • trigger pipeline to verify GHCR public container pulls (d90e617)

0.7.2 (2026-04-17)

Bug Fixes

  • container-scan: update argus checkout ref to 0.7.1 and add (67f2a9f)

0.7.1 (2026-04-17)

Bug Fixes

  • add python-slugify (72f203e)
  • add python-slugify dep and CLI tests for coverage (74583cb)
  • ci: restore git push credentials for docs deployment (2ff8593)
  • container-scan: sanitize container names with python-slugify (98b44c9)

[Unreleased]

Bug Fixes

  • container-scan: sanitize container names with python-slugify to handle problematic directory names (.devcontainer, special chars, unicode)

0.7.0 (2026-04-10)

Features

  • scanner-supply-chain: add GitHub Actions workflow security scanner (253f128)
  • scanner-supply-chain: integrate supply chain scanner into reusable workflow (acd6996)
  • skills: add GHES and local act guidance (f69ab65)
  • skills: add local Argus scanner selection skill (a74d7a8)

Bug Fixes

  • ci: restore git push credentials for release workflow (8ceb5d6)
  • security: remediate HIGH supply chain findings from zizmor scan (#85) (8faab89)
  • security: remediate MEDIUM/LOW supply chain findings (5efdd5d)

Security Tools

  • deps: bump bridgecrewio/checkov-action (#81) (4af34c9)

Dependencies

  • deps: bump docker/login-action in /.github/actions/scanner-zap (#79) (b5db6ee)

Maintenance

  • scanner-supply-chain: escape actionlint format template for GitHub Actions (f6fb3a8)

Documentation

  • ai: add release git push credential error pattern (d7ad5e7)

0.6.8 (2026-04-02)

Documentation

  • readme: update banner and add link to site (#62) (f8e1d5f)

0.6.7 (2026-03-31)

Security Tools

  • deps: bump bridgecrewio/checkov-action (#69) (82abbf0)
  • deps: bump github/codeql-action (#67) (912db1d)
  • deps: bump github/codeql-action (#68) (86fb109)
  • deps: bump github/codeql-action (#70) (5faa480)
  • deps: bump github/codeql-action (#71) (36b607e)
  • deps: bump github/codeql-action (#72) (f0cba4a)
  • deps: bump github/codeql-action (#73) (a955f66)
  • deps: bump github/codeql-action (#76) (58e050a)
  • deps: bump github/codeql-action in /.github/actions/scanner-osv (#75) (573ef18)

Dependencies

  • deps: bump @j-ulrich/release-it-regex-bumper from 5.3.1 to 5.4.0 (#64) (5120640)
  • deps: bump conventional-changelog-conventionalcommits (#65) (3c98b18)
  • deps: bump google/osv-scanner-action (#74) (b3ffb9c)
  • deps: bump the github-actions-major group across 1 directory with 2 updates (#66) (ac15423)

0.6.6 (2026-03-30)

Bug Fixes

  • ai-summary: resolve run ID via head SHA lookup (#61) (b5f4d45)

0.6.5 (2026-03-25)

Bug Fixes

  • ai-summary: resolve gh api --arg flag error in run lookup (d395621)

0.6.4 (2026-03-22)

Continuous Integration

  • pin all external GitHub Actions to commit SHAs (8bb7a67)

0.6.3 (2026-03-21)

Documentation

  • fix incorrect workflow references and broken example links (7e7b40e)

0.6.2 (2026-03-21)

Security Tools

  • deps: bump anchore/sbom-action (#51) (3d7b538)
  • deps: bump anchore/sbom-action in /.github/actions/scanner-syft (#53) (c0b1a12)
  • deps: bump aquasecurity/setup-trivy (#54) (0a5d093)
  • deps: bump aquasecurity/trivy-action (#52) (539da06)
  • deps: bump bridgecrewio/checkov-action (#50) (6cc7c88)

Dependencies

  • deps: bump the github-actions-major group across 27 directories with 9 updates (d868a7d)

Continuous Integration

  • deps: update dependabot configuration to support multiple directories for GitHub Actions (91a89cb)

0.6.1 (2026-03-16)

Bug Fixes

  • docs: run mike from repo root where .git exists (cc4155d)

0.6.0 (2026-03-16)

Features

  • ai-summary: add AI-powered executive security summary action (aa9e3da)

Bug Fixes

  • ai-summary: address PR review comments (88321c4)
  • release: add release-it-ignore inline marker for version ref checker (0c31410)

Dependencies

  • deps: bump @commitlint/cli from 20.4.3 to 20.5.0 (#41) (fac7497)
  • deps: bump @commitlint/config-conventional from 20.4.3 to 20.5.0 (#43) (960218b)
  • deps: bump @release-it/conventional-changelog (#42) (64c744f)
  • deps: bump actions/download-artifact (#44) (a9b99b3)

Maintenance

  • aicac: disable TOON migration suggestions (730744f)

Documentation

  • add auto-generated MkDocs documentation site (74504f0)
  • add versioned docs with mike (9d976ee)
  • refactor docsite into modular package with dynamic config (82dc79a)

Tests

  • docsite: add comprehensive tests for docsite package (715e9f7)
  • docsite: add tests for diagrams and pages modules (02bf410)

0.5.0 (2026-03-13)

Features

  • bandit: add bandit_config_file input for custom configuration (1d17613)
  • dependencies: add OSV and dependency-review scanners (77e6514)

Bug Fixes

  • bandit: add bandit_config_file passthrough to reusable workflows (e0317db)
  • ci: add issues:write permission to AICaC workflow (83d694a)
  • clamav: add path traversal protection to archive extraction (45103de)
  • dependencies: use collapsible details in summaries and add config_file input (27ffade)
  • osv: add config_file to exclude vulnerable test fixtures (e0242a7)
  • release-it: skip release_output.txt in version ref checker (f12076b)

Maintenance

  • release-it: add version reference coverage checker and consolidate config (795c09a)
  • release-it: use stdlib Path.glob for version ref coverage checker (1b32408)
  • reusable-security-hardening: temp use of feature branch for e2e tests (f5964ee)
  • scanner-bandit: temp use feature branch for e2e tests (2b1bf8f)

Styles

  • release-it: fix shellcheck SC2005 in release-preview workflow (b33ab55)

Code Refactoring

  • scanner-osv: use official google/osv-scanner-action Docker image (eee381e)

Tests

  • dependencies: boost patch coverage to 98-99% for new scanners (e7a8448)
  • e2e: add dependency scanner E2E jobs to test-actions.yml (8a48688)

0.4.3 (2026-03-11)

Dependencies

  • deps: bump eFAILution/AICaC from 0.1.1 to 0.3.0 (#36) (b4542bc)
  • deps: bump the github-actions-major group with 3 updates (a00113d)

0.4.2 (2026-03-05)

Bug Fixes

  • ci: add packages:read permission for nested reusable workflow jobs (f4494d7)

Tests

  • ci: add reusable workflow PR testing (c181cb8), closes #15

0.4.1 (2026-03-04)

Bug Fixes

  • scanner-container: detect and report scan failures instead of silent pass (86fde1b), closes #18
  • scanner-container: replace raw error dump with concise status and job log link (7195a5a), closes #18
  • scanner-container: use python json.dumps for marker files and add text-based fallback (15afce0)
  • security-summary: include CodeQL language-suffixed summaries in PR comment (4b36097), closes #15
  • workflows: resolve all shellcheck findings across CI workflows (e61d47a)

Code Refactoring

  • scanner-container: simplify error detection and CVE collection (6a3c18e)

Continuous Integration

  • workflows: add linting for GitHub Actions workflows (6249813)

0.4.0 (2026-02-26)

Features

  • scn-detector: expand FedRAMP Low profile for NIST SP 800-53 Rev 5 and FedRAMP 20X (7e88f98)

Code Refactoring

  • deps: remove Docker package ecosystem configuration from Dependabot (d4023e9)

0.3.0 (2026-02-24)

Features

  • scn-detector: Add FedRAMP Significant Change Notification detector (#4) (d75451f)

Dependencies

  • deps: bump @commitlint/cli from 20.4.1 to 20.4.2 (#12) (6cd8d81)
  • deps: bump @commitlint/config-conventional from 20.4.1 to 20.4.2 (#13) (4c7a435)

Code Refactoring

  • schemas: co-locate JSON schemas with their actions (419ac12)

0.2.2 (2026-02-17)

Bug Fixes

  • container-scan-from-config: actions ref not being updated on new releases (bb13006)

0.2.1 (2026-02-17)

Documentation

  • add permissions reqs in docstrings and example configs (9d49319)
  • readme: update codecov token (9efce2c)

Code Refactoring

  • migrate config-driven workflows to composite actions and rename to argus (a32007d)

Tests

  • test-actions: update container images to use Anchore's Syft in workflows (47084d1)

0.2.0 (2026-02-17)

Features

Dependencies

  • deps: bump eFAILution/AICaC from 0.1.0 to 0.1.1 (#2) (2fb9c05)
  • deps: bump the github-actions-major group with 5 updates (a939b51)

Documentation

  • update AICaC badge to reflect Comprehensive compliance (79af287)