SUS
sus

Changelog

Latest updates, features, and improvements to sus.

v0.1.5 - PyPI Seed Support & Model Update

Extended seed script to support PyPI packages and improved agentic scan reliability

Features

  • PyPI seed support - Seed script now supports --registry pypi flag to seed top Python packages from PyPI alongside npm packages
  • Python AI packages - Added curated list of 35 Python AI/ML ecosystem packages (openai, langchain, transformers, torch, etc.) for --include-ai flag
  • Ecosystem-aware CVE fetching - CVE package fetching now queries the correct OSV ecosystem (npm vs PyPI) based on registry

Technical Changes

  • Model switch - Agentic scan model changed from opencode/kimi-k2.5-free to anthropic/claude-sonnet-4-5 for improved reliability and faster scan times (~85s vs 5min+ timeouts)
  • Rust 1.88 - Updated Docker images to Rust 1.88 for compatibility with latest dependencies

Seed CLI

  • sus seed --count 1000 - Seed npm packages (default)
  • sus seed --count 1000 --registry pypi - Seed PyPI packages
  • sus seed --count 500 --registry pypi --include-ai - Seed PyPI with AI packages

Data Sources

v0.1.4 - sus init & AGENTS.md Docs Index

New initialization command and improved documentation delivery based on Vercel's agent research

Features

  • sus init command - Initialize sus in your project with optional AGENTS.md docs index. Settings stored in sus.json.
  • AGENTS.md docs index - Replaces per-agent-folder skills with a compressed docs index in AGENTS.md, following Vercel's research showing passive context outperforms active skill retrieval (100% vs 79% pass rate).
  • Improved search relevance - Search results now prioritize: exact match → starts with → contains. Within each tier, sorted by downloads.

How It Works

When enabled, sus add saves docs to .sus-docs/ and updates AGENTS.md with a compressed index.

CLI Changes

  • sus init / sus init -y - Initialize project (use -y to skip prompts)
  • sus add / sus remove - Now manage .sus-docs/ and update AGENTS.md index

v0.1.3 - Two-Stage Threat Verification

Enhanced threat detection with AI-powered verification to reduce false positives

Features

  • Two-stage verification - Threats detected by the initial scan are now verified by Claude Opus 4.5 before being saved to the database. Unverified threats are discarded, reducing false positives.
  • Expanded threat categories - Added 28+ new threat types covering LLM safety, secrets management, injection vulnerabilities, authentication issues, and supply chain attacks
  • Improved threat parsing - Prompts now specify exact allowed threat type values, ensuring consistent snake_case output from AI models

New Threat Categories

  • LLM Safety: prompt_injection, improper_output_handling, insecure_tool_usage, instruction_override
  • Secrets: hardcoded_secrets
  • Data Handling: weak_crypto, sensitive_data_logging, pii_violations, insecure_deserialization
  • Injection: xss, sqli, command_injection, ssrf, ssti, code_injection
  • Auth & Session: auth_bypass, weak_session_tokens, insecure_password_reset
  • Supply Chain: malicious_install_scripts, dependency_confusion, typosquatting, obfuscated_code
  • Other: path_traversal, prototype_pollution, backdoor, crypto_miner, data_exfiltration, social_engineering

Technical Changes

  • Initial scan uses opencode/kimi-k2.5-free for fast threat detection
  • Verification step uses anthropic/claude-opus-4-5 for high-accuracy confirmation
  • Only threats confirmed by both models are persisted to the database

v0.1.2 - AGENTS.md Integration

Automatic AGENTS.md support for seamless AI agent onboarding

Features

  • Auto-generate AGENTS.md - Running sus add now automatically creates an AGENTS.md file at your project root with instructions for AI agents to use sus for secure package installation
  • Smart patching - If an AGENTS.md already exists, sus appends its instructions without overwriting your existing content
  • Idempotent - The file is only created/patched once, detected via a ## sus Package Security marker section
  • Skills folder guidance - Instructions direct agents to check .cursor/skills/, .claude/skills/, etc. for package-specific usage guidance

Bug Fixes

  • Backwards compatibility fix - Resolved an issue where older scan jobs in the queue failed to deserialize due to missing registry field. Jobs now default to npm registry when the field is absent.

v0.1.1 - Multi-Registry Support

Preparing sus for multi-registry package scanning with registry tracking

Features

  • Registry tracking - All packages now include a registry field in API responses (npm, pypi, crates)
  • Updated unique constraint - Packages are now uniquely identified by (name, version, registry) to support same package names across different registries
  • Scan request registry - API scan requests now accept an optional registry parameter (defaults to npm)

API Changes

  • GET /v1/packages/:name - Response now includes "registry": "npm"
  • GET /v1/packages/:name/:version - Response now includes "registry": "npm"
  • POST /v1/bulk - Response items now include "registry": "npm"
  • POST /v1/scan - Request body accepts optional "registry" field

Coming Soon

  • PyPI package scanning
  • Crates.io package scanning

v0.1.0 - Initial Release

First public release of sus - the secure package gateway for AI agents

Features

  • Package security scanning for npm, yarn, pnpm, and bun
  • CVE detection with real-time vulnerability alerts
  • Malware detection for known malicious packages
  • Install script analysis to catch suspicious post-install hooks
  • Typosquatting detection to prevent dependency confusion attacks

Agent Skills

  • Automatic generation of SKILL.md files for installed packages
  • AGENT.md support for project-level agent instructions
  • Integration with Cursor, Claude Code, OpenCode, Gemini CLI, and Codex