VaultGuard

Appearance

Changelog

All notable changes to the VaultGuard CLI.

v0.6.0

  • Core v0.6.0 integration: inline suppression (// vaultguard-ignore), baselines, and a filtering pipeline for severity and confidence thresholds.
  • New command: vaultguard baseline generate for creating differential scan baselines with SHA256 fingerprints.
  • New scan flags: --typosquat, --show-suppressed, --baseline, --min-severity, --min-confidence, --disable-provider.
  • 5 new secret providers: GitLab (personal access tokens, pipeline tokens, CI build tokens, deploy tokens), Atlassian API tokens, HashiCorp Vault tokens (service, batch, recovery), JWT (eyJ prefix), and PEM private keys.
  • Typosquatting detection for npm, PyPI, and crates.io dependencies using Levenshtein distance against top-100 packages.
  • Scan summary now includes suppressed and filtered finding counts.
  • Provider-specific remediation for all 22 supported providers in the fix command.

v0.5.0

  • Condensed scan output: top 5 findings by severity shown one per line, replacing the full verbose dump as the default.
  • Auto-save scan results to .vaultguard/results/latest.json for use with the fix command.
  • New command: vaultguard fix with static remediation report grouped by finding type and sorted by severity. Provider-aware for secrets, ecosystem-aware for CVEs.
  • vaultguard init now adds .vaultguard/ to .gitignore automatically.
  • Integrity verification support (--integrity flag).

v0.4.2

  • Improved scan UX with a pre-summary pause instead of a spinner delay.

v0.4.1

  • Bug fixes and UX improvements.

v0.4.0

  • Code quality checks via the --quality flag (disabled by default).
  • Multiple output format support: --json and --sarif flags, plus --format for explicit selection.

v0.3.0

  • Self-update command (vaultguard update) with SHA256 checksum and minisign signature verification.
  • Binary distribution via Cloudflare R2 at releases.vaultguard.sh.
  • Cross-platform install scripts: curl | sh for Linux/macOS, irm | iex for Windows.

v0.2.0

  • Ignore rules via .vaultguard.ignore with vaultguard ignore init, add, and list subcommands.
  • Configuration management: vaultguard config validate and vaultguard config show.
  • .vaultguard.toml project configuration with merged user/project/default priority chain.

v0.1.0

  • Initial release.
  • Secret detection with entropy analysis and pattern matching for AWS, GitHub, OpenAI, Stripe, Supabase, Firebase, database URLs, Discord, Slack, and generic high-entropy strings.
  • CVE scanning against OSV and NVD databases via dependency manifests.
  • Misconfiguration detection for common config files.
  • Human-readable terminal output with colored severity indicators.

VaultGuard -- Security scanning for AI-generated code

Copyright 2025-2026 VaultGuard