v0.2.1

v0.2.1 — 2026-05-19

Documentation

• Add package documentation for pkg.go.dev directories view (#14)

CI/CD

• Add release workflow (manual dispatch) (#12)

v0.2.0

License

• Relicense from Apache 2.0 to GNU General Public License v3.0

CI/CD

• Fix auto-label/CI race condition: remove opened from CI pull_request triggers
• Fix test-action required check for path-filtered PRs: add changes gate job and test-action-result rollup job
• Update main-ci-and-integrity ruleset to require test-action-result

Agent Skills

• Add go-release skill for managing the Go module release lifecycle

---

Full changelog: CHANGELOG.md

skeptic v0.1.0 — Initial public release

Initial public release of skeptic — a stdlib-only Go security scanner that detects supply chain compromise, CI/CD weaponization, agentic ecosystem poisoning, and machine identity abuse that CVE scanners, SAST tools, and secret scanners miss.

Detection

• 229 built-in rules across 5 threat domains
• 16 behavior chains with ordered/unordered multi-step detection
• 12 payload decoders with entropy-based recursion
• Identity graph analysis (AWS, Azure, GCP, Kubernetes RBAC)
• Cross-finding correlation and git-temporal drift detection
• Shannon entropy anomaly detection and XOR brute-force decoding
• NFKC normalization to defeat fullwidth/homoglyph evasion

Rule families

CI/CD · Agentic · Supply chain · Machine identity · Attack tactics

Runtimes

• CLI scanner (skeptic scan) with 18 subcommands
• Stdio MCP JSON-RPC server for agentic tooling integration
• Local HTTP daemon with scheduled scans
• GitHub Actions composite action with SARIF upload

Build

stdlib-only Go 1.24 · single static binary · zero runtime dependencies · Apache 2.0

Install

go install github.com/TGPSKI/skeptic/cmd/skeptic@v0.1.0