v0.0.48
Released Jun 15, 2026
All releases
Release Notes
squirrelscan v0.0.48
squirrelscan grows up into a platform. This release makes it programmable โ org-scoped API keys, a documented public REST API, and outbound webhooks โ and CI-native โ an official GitHub Action, build-gating exit codes, and token auth that just works in a pipeline. Plus auto-publish to your dashboard, faster re-audits, and a stack of sharp fixes. ๐ฟ๏ธ
๐ The squirrelscan API
- Org-scoped API keys with scopes โ mint keys per org, scoped to exactly what they're allowed to do, with rate limiting built in. Create and revoke them from a new API Keys page in the dashboard (scope picker, presets, one-time secret reveal). (#154, #158)
- Public REST API โ a documented, stable surface with an OpenAPI spec and a consistent error envelope, so you can drive audits and pull results from your own tooling. (#175)
- Outbound webhooks โ get notified when audits happen; org-scoped delivery with retries. (#171)
- Developers hub โ a brand-new docs section pulling REST API, CI/CD, webhooks, authentication, and Agents & MCP together in one place โ docs.squirrelscan.com/developers (#183)
โ๏ธ Built for CI
- Official GitHub Action โ
uses: squirrelscan/audit-action@v1: install, audit, and gate your build in a few lines. (#168, #169) --fail-onbuild gating โ fail the pipeline on a threshold you choose (score<90,score:perf<80,severity>=error,errors>0, โฆ). Exit code2means a threshold tripped,1means the run itself broke โ so CI can tell a regression from a crash. (#167)SQUIRREL_API_TOKENenv auth โ set one env var and the CLI authenticates with no login step, fail-closed (no silent fallback) โ built for CI secrets.squirrel whoaminow shows your token's scopes. (#159)
โจ New
- Audits auto-publish to your dashboard โ signed-in audits now publish automatically (unlisted + free by default), so your audit history is always there. Public reports cost 2 credits; opt out anytime with
--no-publish/--offline. (#170) - Sub-resource caching + a bad-caching rule โ crawls now cache CSS, JS, images, and fonts like a browser would, so repeat audits are noticeably faster, and a new performance rule flags pages serving poor caching headers. (#107, #108)
- Smart audits (experimental, opt-in) โ a local per-page finding store with union scoring across runs; off by default, enable with
smart_audits = trueinsquirrel.toml. (#110) - One up-front cloud consent prompt โ logged-in audits now ask once, with a clear cost estimate, before spending any credits โ no more per-step surprises. (#191)
๐ Fixes
- Cleaner console output โ run-relative timestamps and no more raw ISO date dumps cluttering the audit log. (#190)
- Hardened auto-update โ skips CI, respects opt-out, configurable cadence, and a
doctorhealth check, so background updates stay quiet and predictable. (#201) - Rendered audits no longer 413 โ technology detection now bounds its payload so large rendered pages don't blow the request size limit. (#192)
- musl / Alpine installs โ the installer ensures
libstdc++is present, so the binary runs on Alpine out of the box. (#163)
๐งน Under the hood
- Live-sync foundation โ a new org-scoped sync engine (Durable Object oplog + WebSocket push with ticket auth) lands behind a flag, paving the way for a real-time dashboard. (#205, #220)
Update to this version
squirrelscan will auto-update, or run this command to update now:
$