Skip to content

v0.1.1 - hardening pass

Choose a tag to compare

@Sonofg0tham Sonofg0tham released this 16 Jun 14:56

Adversarial-review hardening pass

An adversarial workflow (12 agents, 1M tokens) found five real
problems with v0.1.0. This release fixes every one.

Credibility

  • Replaced fabricated Trivy attack narrative. v0.1.0 claimed
    Trivy was compromised in March 2026 via a Russian-language prompt
    injection in a commit message. That's wrong - the actual Trivy
    compromise was a PAT theft and tag hijack, no prompt injection, no
    Russian. Rewritten across README, SECURITY, demo, lab, CLI, and
    the multilingual rule pack to cite verified 2026 incidents:
    ambient-code's CLAUDE.md prompt-injection compromise, the Claude
    Code GitHub Action CVE (fixed in 2.1.128), and Snyk's
    Clinejection issue-title attack.

Security fixes

  • Closed the `ward-allow-file` suppression bypass. v0.1.0
    honoured the directive on `code_comment` surfaces, meaning an
    attacker who landed a PR adding a new `.py` with
    `# ward-allow-file: *` at the top could silence every rule for
    that file's content. Now restricted to `file_content` only.
  • Fixed four decode evasions. Lowered base64 gate from 80 to
    24 chars (the canonical attack base64-encodes to 76 chars, slipped
    under the old gate), made decoding recursive with a depth budget,
    added URL / HTML-entity / quoted-printable / URL-safe base64
    decoders.
  • Catch all-confusable-script tokens via a Unicode TR39 fold
    table. `igore` written entirely with Cyrillic and Greek
    lookalikes now folds to `ignore` and fires the standard rule.

Disclosure

  • Known limitations section in SECURITY.md. GCG, AutoDAN,
    Crescendo, payload splitting, ASCII art, Caesar/ROT, Unicode TAG
    block, multimodal, indirect/RAG injection - all listed honestly
    with academic refs.

By the numbers

  • 179 tests (up from 165)
  • 4 new attack fixtures, 1 new clean fixture
  • Self-scan still clean
  • mypy strict, ruff clean, format clean
  • CI green on Ubuntu / macOS / Windows x Python 3.11 / 3.12 / 3.13

Upgrade

```bash
pipx upgrade ward-scanner
```

(PyPI publish is gated behind `vars.PYPI_READY` and remains
unconfigured. Install from source until that switch is flipped.)