chore(main): release 2.0.0

[github-actions]

🤖 I have created a release beep boop

2.0.0 (2026-03-16)

⚠ BREAKING CHANGES

• The root-user command has been removed. Use user instead, which provides the same basic non-root check plus additional policy-based validation (UID ranges, blocked users, numeric UID requirements).

Features

• Add --include flag to the all command (#70) (eb3e239)
• Add --color flag with terminal color support via Lip Gloss (#96) (e03eaa6)
• add --fail-fast flag to all command (#43) (52e4863)
• Add --output/-o flag with JSON support (#45) (436389b)
• add all command to run all validation checks at once (#41) (8fac20e)
• Add platform validation command (#84) (7e75ae3)
• Add user command with policy-based validation (#197) (f37ae30)
• Add colored section separators to the all command output (#103) (6e49bc5)
• Add context cancellation checks in secrets layer scanning (c2af061)
• Add Docker support with multi-arch images and GHCR publishing (#54) (0551aca)
• Add entrypoint validation command (#81) (55824d0)
• Add GitHub Action for container image validation (#64) (35d719e)
• Add granular exit codes to distinguish validation failures from execution errors (#49) (052b655)
• Add healthcheck validation command (#61) (6c8ab45)
• Add Homebrew tap distribution (#91) (95456fe)
• Add labels validation command (#57) (ea47eb8)
• Add private registry authentication support (#88) (65c2e7f)
• Add retry with exponential backoff for remote registry calls (5488754)
• Add stdin support and inline configuration for policies (#51) (e3c5df8)
• add version command (64ecdb8)
• imageutil: add local image retrieval (010016c)
• ports: change allowed_ports to allowed-ports in config schema (283df03)
• registry: add command to validate trusted image registries (0ca34c9)
• registry: change trusted_registries to trusted-registries and excluded_registries to excluded-registries in config schema (eb8a9d4)
• registry: enhance registry policy validation (be77ebe)
• Remove root-user command in favor of user command (#201) (43ca533)
• secrets: add command to detect sensitive data in container images (ad027cb)
• support multiple image formats (8e09297)
• Update module path to use full GitHub URL (#3) (9abb173)
• version: Add build info and --short flag (#78) (988f982)

Bug Fixes

• Add file size limit to ReadSecureFile (#186) (1ad5942)
• Add HTTP timeouts to remote registry transport (657cf3f)
• Add size limit on --password-stdin read (a7b4801)
• add v prefix to version output in binaries (324f08f)
• Cap per-file io.Copy with LimitReader in extractRegularFile to prevent unbounded disk writes from lying tar headers (#170) (5bda17b)
• Chain GoReleaser as job within release-please workflow (9e4dc84)
• Configure release-please to use simple tag format without component prefix (cb3fa85)
• Correct GoReleaser ldflags to use correct module path for version injection (7d9bd49)
• Detect UID 0 as root in root-user check (#168) (c67638f)
• Eliminate temp file leak and deduplicate inline policy formatters (#98) (7976514)
• Embed render function in checkRunner and add default branch to renderResult (#104) (07e6b04)
• Fix GoReleaser brews config and archive format deprecations (#93) (0a1e71b)
• Guard renderResult against nil Details panic on error results (#100) (dbb5076)
• Improve error handling and remove dead code (#127) (e3cc365)
• Include labels in default checks help text (#59) (5f85f52)
• Input validation improvements (registry transport, docker-archive tag, platform format) (#187) (62491e3)
• Pre-initialize Lip Gloss styles so FailStyle renders color even when PersistentPreRunE does not run (#181) (d89d5a9)
• Prevent false positives in path-based secrets file pattern matching (#139) (9822379)
• Remove oci-archive: temp directory leak via cleanup function pattern (#124) (51bc6e8)
• Remove push-to-main trigger from test-action workflow (#66) (383defe)
• Reorder help text in all command for logical flow (#72) (5e55d2c)
• Replace magic +10 layer loop with sorted key iteration in secrets renderer (#101) (15413c6)
• Replace string-matching HTTP status detection in isRetryableError with typed transport.Error assertion (#177) (3cb73de)
• resolve security warnings detected by gosec (54d7ae4)
• Sanitize image-controlled strings in debug log output to prevent log injection (#189) (8f0dce0)
• Scope staticKeychain credentials to target registry hostname (#193) (8d595e1)
• size: retrieve local image with remote fallback (6b8151f)
• Skip platform check in Test Action workflow jobs that lack config (8c227ab)
• Update release-please config to v4 manifest format (#5) (dc54f9b)
• Validate port range 1-65535 in --allowed-ports parsing (#179) (37811d5)
• Verify SHA-256 checksum of downloaded binary in GitHub Action (a55bf13)
• Warn at runtime when --password is used on the command line (#183) (3236975)
• Write to stdin pipe in goroutine to prevent deadlock on Windows (abec527)

Code Refactoring

• Add context.Context propagation and signal handling (3bdd305)
• Adopt structured logging with log.WithFields() at high-value log sites (#191) (05cbd5f)
• Centralise cleanup in extractOCIArchive via named return defer (#137) (49eec76)
• Collapse checkDef and checkRunner into a single type (#132) (0cf265f)
• eliminate duplicate code across commands and policies (399e980)
• Extract isDirectoryPattern and isGlobPattern from isPathExcluded (#140) (780c278)
• Extract printSectionHeader, runSingleCheck, printSectionFooter from executeChecks (#138) (1b493a8)
• Extract renderEmptyResult from runAll (#143) (7b16672)
• Extract resolveRegistryCredentials from PersistentPreRunE for direct testability (#135) (cd5d2ee)
• Extract default flag values into named constants (#112) (f0e3ce1)
• Extract repeated image-transport help into imageArgFormatsDoc constant (#115) (0619227)
• Extract shared applyInlinePolicy helper from applyRegistryConfig and applyLabelsConfig (#120) (45352f8)
• Extract shared parseAllowedListFromFile helper from ports and platform (#117) (8afbb2a)
• Extract shared RunE body into runCheckCmd helper (#116) (e16d64c)
• Extract shell interpreter literals as named constants in entrypoint.go (#131) (990f9ac)
• Fix three naming readability issues in commands and imageutil (#128) (9d2d084)
• Make error precedence in applyConfigValues explicit (#141) (de14be4)
• Merge formatAllowedPorts and formatAllowedPlatforms into formatAllowedList (#113) (c2debd6)
• Pass output format as explicit parameter to render functions (#150) (e040b5c)
• Reduce gocyclo min-complexity and fix extractOCIArchive (#47) (bc8a446)
• Remove keyStyle and align text output across commands (#199) (75df619)
• Remove dead LoadXPolicyFromObject functions and their tests (#121) (122c07f)
• Remove dead UnmarshalConfigFile function (#110) (3d09679)
• Remove redundant comments and fix import grouping (#130) (7c9f1ca)
• Rename UpdateResult parameter from new to result (#125) (97e05c4)
• Replace renderResult switch with map-based dispatch (#146) (b22e35c)
• Replace bare type assertions in render functions with mustDetails helper (#126) (739bb99)
• Replace check name string literals with package-level constants (#122) (8fd78ca)
• Return result struct from Execute() instead of reading globals (#151) (a80080d)
• Sort default file patterns in GetFilePatterns for deterministic output (#133) (67a2d9f)
• Split all.go into all_config.go and all_orchestration.go (#109) (e9a53e5)
• Split pattern-matching helpers into patterns.go (#147) (0a0387b)
• Unify duplicate defs slices in determineChecks (#114) (69c760d)
• Unify finding types between secrets and output packages (#149) (c6bd8af)
• Use t.Cleanup in resetAllGlobals for guaranteed test state cleanup (#156) (4ac3075)
• Use explicit parameter struct in buildCheckDefs instead of package-level globals (#153) (7ef98be)
• Use explicit parameters in runX functions instead of package-level globals (#145) (100bcc2)
• Use named cleanup variable in inlinePolicyToTempFile (#144) (adffbe4)

---

This PR was generated with Release Please. See documentation.