chore(main): release 0.6.0

[release-please]

🤖 I have created a release beep boop

0.6.0 (2026-04-01)

Features

• add folder to contain artifacts (e03b2c6)
• Add basic poc command functionality to the MCP server (2f533fd)
• add folder to contain security artifacts (2fe3588)
• add poc skill (461a9c0)
• Add preamble to security scan to make confirms user's decision to use command or manual security auditing (67658d5)
• Add privacy specific taxonomy (#84) (46b3eb0)
• add tooling for defining the audit scope (1730bbb)
• GHA workflows: Add run-gemini-cli GHA workflows to repo PR's (facc88b)
• GitHub Action: Add /security:github-pr command for use with run-gemini-cli GitHub Action (59db0ad)
• implement security patching as a gemini CLI Skill and tool combo (985037a)
• migrate initial template (6e71cc4)
• migrate initial template (7c5d56e)
• output security reports as JSON when requested (#138) (83406c2)
• release: include skills directory in release assets (#153) (153719a)
• Support basic Python and Go PoCs to be generated by the PoC command (ce973f0)
• Support JSON output codeSuggestions Field [wip] (#139) (d005c90)
• Use problem statements in the PoC function to allow for more flexible usage (a0449d3)

Bug Fixes

• Add baseline and post patch test suite verification to security_patcher, add Go and Java checks to dependency manager (754b3c4)
• add experimental tag and securiy prefix to poc prompt (d52c8ca)
• add file creation to run_poc to allow for all encompassing post patch verification runs (56961de)
• add language that suggests to skip if note doesnt exist (e0f60ea)
• add license header to poc test file (6bc9bf9)
• Add License to security fix tests, remove old npm dependency function (a60faff)
• Add source code location as parmater to our PoC command (it increases success rate and decreases token usage) (07a1e07)
• Adjust language in skill description to guarantee it's run on user patch intent (2cd7961)
• change errro message to empty string in diff fail (18ecd79)
• Diff issues were due to non remote repositories, support local changes by defulating to (53a52c6)
• finialzie merge into main (bd6d4e5)
• fix command injection in install_depenencies tool (5988662)
• folder location wording in gemini .md (da3ef99)
• folder location wording in gemini .md (32ad411)
• GHA: Gemini-review MCP calls and prompt changes (6d2d20f)
• GHA: Gemini-review MCP calls and prompt changes (ad93687)
• GHA: Update github-mcp-server calls (2c1e176)
• make prompt less error prone by enforcing directory (0ea0b48)
• merge into main (8cbfd3c)
• mitigate injection vulnerability in new poc tool (ec2d768)
• Move PoC tooling to tools directory, imported into index file (437097d)
• move selective action prompting to top of gemini md (7ecd59d)
• move whitelist directory to .gemini_security (bac4ab6)
• nit white space and revert deletion prompt to only affect temp files (9d64b30)
• package lock jsons (7c393ca)
• phrasing and whitespace (4fb13d6)
• re-add removals caused by llm hallucinations (7827e93)
• Refactor security-fix tool to security-patch, add entry point for analysis in patcher skill (cf11259)
• Rehaul PoC to be tools focused to save on tokens/turns (3f958b8)
• remove additional test causing gemini cli to try to run a command (2caa615)
• remove conflicting gemini md wording from unmerged file (6b8fe2b)
• remove irrelevant changes to prompt from this PR (102d64c)
• remove mentions of unused security notes folder from gemini md (1723ce8)
• remove merge remnants (1c87790)
• remove redundant parameter validation, clean up /poc prompting (682488d)
• suggest user to run commands themselves, since gemini cli cannot correctly run it's own commands. (caafd73)
• suggest user to run commands themselves, since gemini cli cannot… (96f84f9)
• Update description of audit tool, small fixes (959ae50)
• update run_poc signature to take in a file path instead of source code to run. (847ec4c)
• use to store line number mappings in the MCP server (#91) (909c901)
• Use a command available on all platforms to generate a file diff (21fc350)
• Use a command available on all platforms to generate a file diff (f1fca9b)
• use isolated-vm library to isolate generated code (7e5ea18)
• Use security report at contingency in executing patch flow (58e6929)
• When multiple vulns are present, user chooses which one to build a PoC against (9a72400)
• whitespace at end fo file (4257532)

---

This PR was generated with Release Please. See documentation.

[github-actions]

🤖 Hi @release-please[bot], I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

📋 Review Summary

This pull request updates the version of the gemini-cli-security extension to 0.6.0. The changes are mainly in the CHANGELOG.md, which includes a long list of new features and bug fixes. The overall quality of the pull request is good.

🔍 General Feedback

• The CHANGELOG.md contains many commit messages with typos and grammatical errors. I have added several comments to suggest improvements for better readability. It would be beneficial to have a more consistent and cleaner commit message style in the future.

[github-actions]

🟡 There seems to be a duplicate and a typo in the commit messages. "add folder" has an extra space, and it seems to have the same meaning as "add folder to contain security artifacts". Consider cleaning up the commit messages for better readability.

[github-actions]

🟡 The commit message has a grammatical error. "make confirms" should probably be "to confirm".

Suggested change

	* Add preamble to security scan to make confirms user's decision to use command or manual security auditing ([67658d5](https://github.com/gemini-cli-extensions/security/commit/67658d587472be8283bc5aa00864429786bd1500))
	* Add preamble to security scan to confirm user's decision to use command or manual security auditing ([67658d5](https://github.com/gemini-cli-extensions/security/commit/67658d587472be8283bc5aa00864429786bd1500))

[github-actions]

🟡 There are a couple of typos in this commit message. "securiy" should be "security" and "poc" should be "PoC" for consistency.

Suggested change

	* Add License to security fix tests, remove old npm dependency function ([a60faff](https://github.com/gemini-cli-extensions/security/commit/a60faff2cbfe3095825d4cd2149723058196aee2))
	* add experimental tag and security prefix to PoC prompt ([d52c8ca](https://github.com/gemini-cli-extensions/security/commit/d52c8cac0a4bea20b15c3fc1f3f6b622c08dae0b))

[github-actions]

🟡 There's a typo in the commit message. "parmater" should be "parameter".

Suggested change

	* fix command injection in install_depenencies tool ([5988662](https://github.com/gemini-cli-extensions/security/commit/5988662b329015cfdaa19f7a8c9369bf22a3e50e))
	* Add source code location as parameter to our PoC command (it increases success rate and decreases token usage) ([07a1e07](https://github.com/gemini-cli-extensions/security/commit/07a1e07e215b592f261e6d58b6b98a9e8bf86c31))

[github-actions]

🟡 There's a typo in the commit message. "defulating" should be "defaulting".

Suggested change

	* **GHA:** Gemini-review MCP calls and prompt changes ([ad93687](https://github.com/gemini-cli-extensions/security/commit/ad936878615d772cf00e17eb9e24d2c813e37a61))
	* Diff issues were due to non remote repositories, support local changes by defaulting to ([53a52c6](https://github.com/gemini-cli-extensions/security/commit/53a52c650c07575a18840b5b357eb80d8941c304))

[github-actions]

🟡 There's a typo in the commit message. "finialzie" should be "finalize".

Suggested change

	* **GHA:** Update github-mcp-server calls ([2c1e176](https://github.com/gemini-cli-extensions/security/commit/2c1e176bebee987e6beba630b7d1409a14f4f76f))
	* finalize merge into main ([bd6d4e5](https://github.com/gemini-cli-extensions/security/commit/bd6d4e52473aadcd1b6e14c136cfb3ef950b8e18))

[github-actions]

🟡 There's a typo in the commit message. "install_depenencies" should be "install_dependencies".

Suggested change

	* make prompt less error prone by enforcing directory ([0ea0b48](https://github.com/gemini-cli-extensions/security/commit/0ea0b48f9d95dd2a9af977928824dac7141a46e8))
	* fix command injection in install_dependencies tool ([5988662](https://github.com/gemini-cli-extensions/security/commit/5988662b329015cfdaa19f7a8c9369bf22a3e50e))

[github-actions]

📋 Security Analysis Summary

No vulnerabilities were found in this pull request. The changes primarily consist of documentation, configuration, and dependency updates, with no modifications to the core application logic.

🔍 General Feedback

• The changes in this pull request are low-risk from a security perspective.
• It's good practice to keep dependencies and configurations up-to-date.