v0.1.4 - provenance-aware suppression + Windows unicode fix
Closes the last suppression bypass
The honest-assessment workflow flagged one residual risk in the
`ward-allow-file` directive: an attacker who edits an existing doc
file in a PR could add a directive to silence detection on that file.
This release closes it.
```bash
ward scan-local --suppression-base origin/main
```
With a base ref, Ward only honours directives in files unchanged
since that ref. Any file the current branch or PR touched cannot
suppress detection, so a PR-introduced directive is ignored and the
payload fires. Recommended for CI. Documented in
SECURITY.md and the README.
Fixes a real Windows crash
`_run_git` decoded git output with the Windows locale codepage
(cp1252) instead of UTF-8. Any Cyrillic or emoji commit message would
crash `scan-local` on Windows before Ward ever got to flag it -
i.e. the exact adversarial unicode Ward exists to scan was a
denial-of-service against Ward itself on Windows. Now forces UTF-8
with `errors="replace"`. Regression-tested with a Cyrillic + emoji
commit message.
By the numbers
- 208 tests (up from 206)
- New `--suppression-base` flag, new `changed_files` / `ref_exists`
git helpers, new `trust_suppressions` param on the SDK's
`build_input` - Benchmark unchanged: 75.2% smoke / 53.5% full recall, 0.0% FPR
(this release is hardening, not detection) - mypy strict, ruff clean, CI green on Ubuntu / macOS / Windows x
Python 3.11 / 3.12 / 3.13
Upgrade
```bash
pipx upgrade ward-scanner
```
```yaml
- uses: sonofg0tham/ward@v0.1.4
with:
fail-on: high
```