v0.13.0

0.13.0 (2026-05-03)

Features

• extend impostor-commit and mismatched-sha-tag to verify reusable workflow refs (b894009)

Patches

• correct caret position for literal block scalar uses values (f1f5bdb)

v0.12.0

0.12.0 (2026-05-02)

Features

• add unpinned-reusable-workflow rule to detect unpinned reusable workflow refs (2ca2fbb)

v0.11.3

0.11.3 (2026-04-28)

Patches

• deps: update module mvdan.cc/sh/v3 to v3.13.1 (#36) (8c8d076)

v0.11.2

0.11.2 (2026-04-25)

Patches

• detect missing @ref in reusable workflow job uses (ec38970)

v0.11.1

0.11.1 (2026-04-17)

Patches

• handle subdirectory actions in unpinned-transitive-action rule (7bb1049)

v0.11.0

0.11.0 (2026-04-17)

Features

• add unpinned-transitive-action rule to detect unpinned transitive dependencies (cdd6a16)

v0.10.1

0.10.1 (2026-04-17)

Patches

• deps: update module golang.org/x/term to v0.42.0 (#17) (3c064c6)

v0.10.0

0.10.0 (2026-03-30)

Features

• add SARIF 2.1.0 output format and refactor format flag into defined type (ad206eb)

v0.9.0

0.9.0 (2026-03-30)

Features

• add archived-action rule to detect usage of archived GitHub repositories (3441f0c)

v0.8.0

0.8.0 (2026-03-29)

Features

• add broad-secret-env rule to detect secrets in workflow/job-level env (56dcca0)
• add missing-app-token-permissions rule to require explicit permission-* inputs (d558cd8)
• prioritize GHASEC_GITHUB_TOKEN over GITHUB_TOKEN for API authentication (18c0886)