Qryon

Changelog

All notable changes to Qryon are documented here.

View on GitHub →

v0.20.0

February 10, 2026
added
  • qryon scan --ai now triages static analysis findings using AI instead of doing nothing
  • Each security-relevant finding is sent to the AI with ~30 lines of surrounding code context for triage
  • AI returns a verdict (true_positive, false_positive, needs_review), confidence score, explanation, and fix suggestion
  • High-confidence false positives (>=0.8) are automatically removed from results
  • New TriageResult struct with triage_finding() and extract_code_context() in the AI engine
  • Three AI providers supported: Claude (Anthropic), OpenAI, and local Ollama
  • Retry with exponential backoff (2s/4s/8s) on rate-limited API responses
  • Caps at 50 findings per scan by default to control cost
  • ai_verdict, ai_explanation, ai_confidence fields on Finding struct (optional, serde-skipped when None)
  • Automatically included in JSON and SARIF output when --ai is used
  • New [ai] section in qryon.toml: enabled, provider, model, max_findings
  • CLI args (--ai-provider, --ai-model) override TOML config
fixed
  • Anthropic API version updated from 2023-06-01 to 2025-01-01
  • JSON extraction from AI responses now validates parsed JSON before returning (prevents mismatched brace errors)
  • All three AI providers (Claude, OpenAI, Local) now respect triage system prompts via request.context
  • Helpful error message with setup instructions when --ai is used without an API key
changed
  • AI analysis approach: finding-based triage (send findings + code context) instead of whole-file scanning
  • Security finding selection broadened to include rule ID pattern matching (security, injection, xss, etc.) and severity-based selection

v0.19.1

February 8, 2026
fixed
  • npm package references updated from rma-cli to qryon

v0.19.0

February 8, 2026
changed
  • Rebranded from RMA to Qryon — binary name, CLI output, config files, documentation all updated

v0.18.1

February 6, 2026
fixed
  • --exclude patterns with ` (e.g. external/`) now correctly match recursive directories
  • SARIF output capped at 5000 results to stay within GitHub Code Scanning limits
  • Bumped github/codeql-action/upload-sarif from v3 to v4

v0.18.0

February 6, 2026
added
  • Deep analysis (semantics, callgraph, taint tracking, callbacks, test detection) for PHP, C#, Kotlin, Scala, Swift, Bash, Elixir, Solidity, OCaml
  • 858 semgrep rules for 16 new languages
  • CodeQL Models-as-Data knowledge for Ruby and Swift
  • CLI --languages flag support for all 20 languages
fixed
  • CLI parse_language() silently dropping unknown language names

v0.17.0

February 3, 2026
added
  • ROADMAP.md: Comprehensive project roadmap documenting evolution from v0.1.0 to current and future plans
fixed
  • Crates.io Publishing: All 10 workspace crates now publish correctly - Added missing rma-rules to publish workflow (was blocking rma-analyzer) - Added missing rma-lsp to publish workflow - Fixed dependency order for layered publishing - Added repository metadata to rma-rules and rma-lsp - Fixed incorrect repository URLs in rma-cli (was pointing to wrong repo)
changed
  • Publish Order: Crates now publish in correct dependency layers: 1. rma-common 2. rma-parser, rma-rules, rma-ai, rma-plugins 3. rma-analyzer 4. rma-indexer, rma-lsp 5. rma-daemon 6. rma-cli

v0.16.0

February 3, 2026
added
  • Call Graph Statistics Panel: Real-time overview showing total functions, edges, sources, sinks, sanitizers, and unresolved calls
  • Security Classification Badges: Visual indicators for taint sources [HTTP Handler], sinks [SQL Injection], sanitizers [SAN], and exported functions
  • Source→Sink Flow Highlighting: Dangerous flows marked with icon and red highlighting
  • Source→Sink Filter (press x): Toggle to show only potentially dangerous source-to-sink edges
  • Edge Detail Panel (press Enter): Comprehensive view with: - Caller/callee function info with file paths and line numbers - Source classification type (HTTP Handler, File Input, etc.) - Sink vulnerability types (SQL Injection, XSS, Command Injection, etc.) - Sanitizer information if present - Classification confidence percentage - Security warning box for source→sink flows with remediation guidance
  • Enhanced Finding Detail View: Full metadata display including rule ID, language, severity (color-coded), confidence, category, fingerprint, fix suggestions, and complete code snippets
  • Incremental Scan Cache: Content-hash based caching for faster re-scans
  • --no-cache flag: Force fresh analysis bypassing cache
  • Cache stored in .rma/cache/analysis/: Per-file analysis results
  • rma flows --interactive: Launch TUI for browsing cross-file data flows
  • Test file filtering: Flows from/to test files excluded by default
changed
  • Test Files Excluded by Default: Tests are now excluded from scans by default across all languages - Use --include-tests to opt-in to scanning test files - Unified test pattern detection: 70+ patterns for JS/TS, Python, Go, Rust, Java, Kotlin - --skip-tests flag deprecated (tests excluded by default) - security command now uses same comprehensive patterns as scan command
  • Call Graph Test Filtering: Call graph edges now exclude test files by default
  • TUI Status Bar: Updated help text with available keyboard shortcuts
fixed
  • Zip crate dependency: Updated from yanked 2.6 to stable 2.4
  • Clippy warnings: Fixed trait object syntax and unused imports
  • Missing SystemTime import: Fixed compilation error in OSV provider

v0.15.1

February 2, 2026
fixed
  • SARIF Validation: Ensure line/column values are >= 1 (fixes GitHub upload errors)
  • Self-Scan False Positives: Exclude rule definition patterns from self-scanning
  • Command Injection FP: Suppress false positive for static npm command
changed
  • Faster CI Scans: Download pre-built binary instead of building from source
  • Test Exclusion: Add --skip-tests-all and --exclude-rules for cleaner self-scan

v0.15.0

February 2, 2026
added
  • SARIF Scanned Files Summary: GitHub Code Scanning now displays scanned files and timing metrics - Added artifacts array with all analyzed files (path, language, LOC, complexity) - Added invocations array with execution timing and performance stats - Metrics include files/second throughput, total findings breakdown
  • Dedicated RMA Scan Workflow: New rma-scan.yml workflow for GitHub Code Scanning integration
  • Open Source Community Files: - CODEOWNERS for maintainer control - CODE_OF_CONDUCT.md (Contributor Covenant) - SECURITY.md vulnerability reporting policy - Issue templates (bug report, feature request) - Pull request template
fixed
  • npm package URLs now point to correct repository
  • GitHub Actions workflow permissions for code scanning
  • README version references updated to current release
changed
  • Branch protection configured for solo maintainer workflow
  • GitHub Discussions enabled
  • Repository topics added for discoverability

v0.14.0

February 2, 2026
added
  • Typestate Analysis Framework: Track object state transitions through their lifecycle - generic/file-typestate: Detect use-after-close, unclosed files, double-open - generic/lock-typestate: Detect double-lock, double-unlock, unlock-without-lock - generic/crypto-typestate: Detect use of uninitialized ciphers - generic/database-typestate: Detect query-before-connect, query-after-close - generic/iterator-typestate: Detect iterator use after exhaustion - Language support: JavaScript, TypeScript, Python, Go, Java - Safe pattern recognition: with, defer, try-with-resources, RAII - FlowContext integration with compute_typestate() and typestate_violations() methods - builtin_typestate_rules() convenience function for all typestate rules
  • Interactive TUI: Browse findings with keyboard navigation (j/k, Enter for details, s filter severity)
  • Smart Progress Display: Real-time progress bar with ETA, file counts, and severity breakdown
  • Powerful Filtering: --severity, --rules, --exclude-rules, --files, --category, --search
  • Output Limiting: --limit N and --group-by (file/rule/severity) for large codebases
fixed
  • Database Typestate False Positives: Rule now requires database imports in file before flagging
  • API Client Detection: cartApi.update(), userService.create() no longer flagged as DB queries
  • Array.find() False Positives: Removed generic .find( from DB patterns, use specific ORM patterns
  • Compiler warnings eliminated across all crates

v0.13.0

February 2, 2026
added
  • Cross-File Analysis (--cross-file): Import resolution and call graph construction - Tracks function calls across file boundaries - Detects taint flows through function parameters - Supports JS/TS, Python, Go, Rust, Java
  • 20+ New Security Rules: - Python: unsafe-deserialization, ssti, unsafe-yaml, django-raw-sql, path-traversal - Rust: unwrap-on-user-input, missing-error-propagation, raw-sql-query, unwrap-in-handler - Go: defer-in-loop, goroutine-leak, missing-http-timeout, insecure-tls - Java: npe-prone-patterns, unclosed-resource, log-injection, spring-security-misconfig - JS/TS: prototype-pollution, redos, missing-security-headers, express-security
  • Test File Exclusion Flags: - --skip-tests: Skip test files (security rules still apply) - --skip-tests-all: Skip ALL findings in tests including security rules - 65+ test patterns: *_test.go, *.test.ts, test_*.py, `src/test/, __tests__/`, etc.
  • Auto-Fix Foundation: Fix struct with replacement suggestions
  • Diff-Aware Analysis (--diff): Only report findings on changed lines
  • HTML Reports: Self-contained HTML report generation with embedded CSS/JS
  • GitHub Action: action.yml for CI/CD integration with SARIF upload
  • LSP Enhancements: Code actions, debounced diagnostics, concurrent access with DashMap
changed
  • Security rules now properly registered in register_default_rules()
  • --mode pr and --mode ci automatically skip test files
  • Improved pattern matching for test directory detection
fixed
  • Rules not triggering in CLI scan (missing rule registration)
  • Clippy warnings for absurd comparisons in tests

v0.12.0

February 2, 2026
added
  • Security audit command for comprehensive vulnerability assessment
  • OSV provider for multi-language dependency scanning
  • RustSec provider for Rust advisory database

v0.7.0

February 1, 2026
added
  • Native Oxc Integration: JS/TS analysis using oxc crates directly (no external binaries) - oxc/no-debugger - Detect debugger statements - oxc/no-eval - Detect dangerous code execution - oxc/no-alert - Detect browser dialogs - oxc/no-empty-pattern - Detect empty destructuring - oxc/no-with - Detect deprecated with statements
  • Test File Exclusion: Secret detection rules now skip test/fixture/example files - Skips /test/, /tests/, /__tests__/, /fixtures/, /examples/ directories - Skips *_test.go, *.test.js, *.spec.ts, conftest.py files
  • Gosec Provider: Go security analysis via gosec CLI integration
  • 65 Total Rules: Comprehensive coverage across all supported languages
changed
  • js/no-cond-assign: Now only flags actual control flow statements (if/while/for/do) - Fixes false positives on ternaries in JSX template literals - Skips intentional patterns like if ((x = getValue()) !== null)
  • Go Security Scanner: Single-pass AST traversal for maximum performance - Pre-compiled regex patterns with LazyLock - Quick content checks to skip unnecessary scanning
fixed
  • False positive: Private keys in test files no longer flagged
  • False positive: Ternary expressions in JSX className props
  • Performance: Rule pre-filtering with HashMap for O(1) lookup
  • Performance: HashSet for O(1) node kind lookups

v0.6.0

February 1, 2026
added
  • WebSocket endpoint for real-time file watching (/ws/watch)
  • Web dashboard for browser-based monitoring
  • Initial scan on watch mode startup
  • Interactive keyboard shortcuts in watch mode (q/c/r/s/e/p/?)
changed
  • Categorized rules into high-confidence sinks vs review hints
  • Reduced false positives in security rules
fixed
  • Clippy warnings for Rust 2024 edition
  • Normalized file paths in SARIF and GitHub output

v0.5.0

January 31, 2026
added
  • Rich diagnostics with code snippets and suggestions
  • GitHub Actions output format (--format github)
fixed
  • Clippy warnings for Rust 2024 if-let chains

v0.4.0

January 31, 2026
added
  • SARIF output improvements
  • Better error messages

v0.3.0

January 31, 2026
added
  • 8 new security rules for Rust, JS/TS, Python, Go, Java
  • Automatic Homebrew tap update workflow
  • Secret detection (API keys, AWS keys, GitHub tokens, private keys)
  • Insecure crypto detection (MD5, SHA-1, DES, RC4, ECB)

v0.2.0

January 31, 2026
added
  • Config versioning (config_version = 1)
  • Stable fingerprints for baseline comparisons
  • Rulesets (security, maintainability)
  • Inline suppression (// rma-ignore-next-line)
  • GitHub Actions integration
  • Timer string rule for JS
changed
  • Updated to Rust edition 2024

v0.1.0

January 31, 2026
added
  • Initial release
  • Multi-language support: Rust, JavaScript, TypeScript, Python, Go, Java
  • Security and code quality rules
  • SARIF output for GitHub Security tab
  • Watch mode for real-time analysis
  • HTTP API daemon
  • Configuration via rma.toml
  • Profiles: fast, balanced, strict

View the full commit history on GitHub

View commits →