v0.1.3 — fewer false positives
Patch release — accuracy/false-positive reduction, driven by real-world testing on a Flask/Supabase backend (which had returned 4 findings, all false positives).
Fixed
- secrets: placeholder/prose values no longer flagged for freeform patterns (e.g.
password="(sent to user email)",api_key="<your key>"). Strict provider-format keys (AWS/GitHub/Stripe) are unaffected. - headers / CSRF: now a single project-level finding, and only when cookie/session/form auth is present — token/Bearer JSON APIs are no longer falsely flagged.
- headers: snippet comment style matches the file language (
#for Python). - reporter: fixed stale
tejaswirajgit→Varpostlink in the report footer. - docs: website documents the
--format markdown|ai-prompt|jsonoutput layers; fixed links and version. (#13)
Real-world false-positive input now yields 0 findings; real secrets + genuine session apps still detected. 29 tests, ruff + mypy clean.
git checkout v0.1.3 to restore this state.
Full changelog: v0.1.2...v0.1.3