> TheAuditor / blog
release, 5.0.0, provenance

TheAuditor 5.0.0: a finding you can pin to a commit

Version 5.0.0 turns TheAuditor into a release line you can trust. Every build stamps the exact commit and build time it came from, the analysis ships as a sealed, encrypted artifact, and the same adversarial scans run against the binary before it leaves the door.

A security tool’s findings are only as trustworthy as the build that produced them. If you can’t say exactly which version of the analyzer flagged a thing, and prove it later, your audit trail has a hole in the middle of it.

TheAuditor 5.0.0 closes that hole. This is the release that turns a fast-moving engine into something you can pin down.

Every build knows where it came from

aud --version now reports more than a number: it carries the exact commit and the build timestamp baked into the binary. A finding from last Tuesday can be traced to the precise build that produced it, and a build can be traced back to the source it was cut from. There’s no ambiguity about which version saw a given finding. The artifact answers for itself.

That’s backed by a real release line: versioned releases with a changelog contract, so the jump from one version to the next is a documented event, not a surprise.

Sealed, not assembled on your machine

The analysis ships as a compiled binary carrying its encrypted analysis database as a single sealed artifact. You run the tool; you don’t assemble it. And before any release leaves the door, the same adversarial scans we point at other people’s code get pointed at our own shipped artifact. A tool that finds problems should survive being audited by itself.

The proof stays loud

5.0.0 carries the results that matter forward: clean sweeps of the OWASP Java and Python benchmark corpora and the Juice Shop Node.js corpus, with true positives caught and false positives at the floor. We don’t ask you to take coverage on faith; the independent yardstick exists precisely so nobody has to.

Where it stands

5.0.0 is the pre-launch release line. The engine is packaged and being run through its final adversarial pass against the shipping artifact. It’s the foundation the rest of the stack queries: Warden acts on its facts, Arbiter orchestrates the work, Curator remembers the context, and BenchProctor keeps everyone honest. Follow the RSS feed.

Was this useful?