Skip to content

v0.1.3 — fewer false positives

Choose a tag to compare

@tejaswirajgit tejaswirajgit released this 15 Jun 14:57
1880e5c

Patch release — accuracy/false-positive reduction, driven by real-world testing on a Flask/Supabase backend (which had returned 4 findings, all false positives).

Fixed

  • secrets: placeholder/prose values no longer flagged for freeform patterns (e.g. password="(sent to user email)", api_key="<your key>"). Strict provider-format keys (AWS/GitHub/Stripe) are unaffected.
  • headers / CSRF: now a single project-level finding, and only when cookie/session/form auth is present — token/Bearer JSON APIs are no longer falsely flagged.
  • headers: snippet comment style matches the file language (# for Python).
  • reporter: fixed stale tejaswirajgitVarpost link in the report footer.
  • docs: website documents the --format markdown|ai-prompt|json output layers; fixed links and version. (#13)

Real-world false-positive input now yields 0 findings; real secrets + genuine session apps still detected. 29 tests, ruff + mypy clean.

git checkout v0.1.3 to restore this state.

Full changelog: v0.1.2...v0.1.3