All notable changes to inspect are documented here. Format: Keep a Changelog
This project adheres to Semantic Versioning.
- MCP server scaffolding moved to the shared
hawk-mcpkitmodule.mcp/server.gonow delegates server construction, the stdio and streamable-HTTP transports, and argument/result helpers to the kit. Tool names, schemas, and behavior are unchanged. The advertised MCP server version now tracks theVERSIONfile (inspect.Version) instead of a hardcoded string. - Version re-baselined to
0.1.0ininternal/report/sarif.go(const inspectVersion, used astool.driver.versionin SARIF output) andmcp/server.go(advertised MCP server version). Aligns inspect with the rest of the hawk-eco ecosystem (hawk,tok,eyrie,yaad,trace,sight).- Note: the previous values were inconsistent (
inspectVersionwas"1.0.0"while the MCP server advertised"0.1.0"); both now agree on"0.1.0". - The SARIF spec version (
sarifVersion = "2.1.0") is unchanged — that's a different field that identifies the SARIF format, not the tool.
- Note: the previous values were inconsistent (
- Soft 404 / false positive detection
- Per-host error circuit breaker with auto-throttle
- Gzipped archive format for scan results
- Findings storage bridge for external persistence
CODE_OF_CONDUCT.md— Contributor Covenant 2.1..gitattributes— LF normalization, binary detection, GitHub linguist hint to collapsego.sumin PR diffs..editorconfig— UTF-8, LF, final newline, trim trailing whitespace, tabs for Go + Makefile, 2-space indent for YAML/JSON/TOML, no-trim for Markdown..github/PULL_REQUEST_TEMPLATE.md— Summary / Changes / Scan- quality impact / SARIF compatibility / SSRF & egress safety / Testing / Checklist..github/ISSUE_TEMPLATE/bug_report.yml— surface dropdown (library API / MCP / SARIF / browser checks / CVE database) and false-positive textarea..github/ISSUE_TEMPLATE/feature_request.yml—kindselector covering 8 functional areas (security checks / accessibility / SEO / performance / browser / output formats / config / tooling) and developer fit checks..github/ISSUE_TEMPLATE/config.yml— routes security to advisories, questions to discussions, blocks blank issues.
- Browser-based checks (optional rod integration)
- Accessibility auditing (WCAG contrast, ARIA, alt text)
- SRI (Subresource Integrity) validation
- SEO checks (meta tags, structured data)
- Performance checks (resource sizes, render-blocking)
- SARIF and HTML output formats
- MCP server integration (inspect_scan, inspect_scan_dir)
- GitHub Action (action.yml) for CI/CD
- SSRF protection (private IP blocking)
- Sitemap and robots.txt discovery
- Improved crawler concurrency model
- Rate limiting defaults (20 req/sec)
- Directory scanning (ScanDir)
- JUnit XML output format
- Cookie security checks
- Form validation checks (CSRF, action URLs)
- Configuration file support (.inspect.toml)
- File exclusion patterns
- Initial release: Scan() with concurrent crawler
- Security header checks (CSP, HSTS, CORS, X-Frame-Options)
- Broken link detection
- Custom Checker interface
- Declarative RuleCheck pattern matching
- Quick, Standard, Deep presets
- JSON and terminal output