Ward starts with real-CVE-tested static analysis and carries findings forward into traces, provenance, and reviewable evidence. It is being built for private codebases that need more than a scanner dashboard.
We ran Ward and the tools teams most commonly rely on over the same corpus of 2,068 entries grounded in historical CVEs across five ecosystems. A tool only gets credit when it flags the vulnerable code targeted by the patch and that finding disappears on the fix commit. That tells you the scanner is real. It is not the whole product story.
▸ Paired scoring: a finding is “real” only if present on the vulnerable commit, localized to the code the patch fixed, and absent on the fix commit. CodeQL is shown as withheld pending validation: the stricter full-corpus rerun currently runs for more than 24 hours and has not completed cleanly enough to publish a reproducible headline number. Read the methodology →
Ward is being built as security review infrastructure, not a flat alert stream. The scanner is the first layer; the longer arc is evidence-backed investigation with witness bundles, provenance, and config-aware risk classification.
A Ward finding can carry more than a rule match: a cross-file trace, reproducible evidence where a proof lane exists, a reviewable bundle state, and the provenance needed to explain why the system believes the issue is real.
The scanner remains the base layer. On top of it, Ward is adding an investigation workflow that can carry forward traces, repro artifacts, provenance, and evidence grades instead of ending at an alert list.
input
…
action
Reasons across files to surface vulnerable flows that single-file pattern matching often misses.
For supported lanes, Ward can carry a candidate forward into repro artifacts, provenance, and review state.
Ward is adding product-level distinctions between bugs that are unsafe by default, risks that require an opt-in configuration, and findings that still need analyst judgment.
The benchmark matters. So do its limits. Here’s what we count, what we compare, and where the current pre-release claims stop.
For each CVE we have a repo and two SHAs: vuln_sha (the commit the CVE was filed against) and fix_sha (the merge that closed it). We run the scanner on both and call the finding “real” only if it fires on vuln_sha at a location whose scope includes the code the patch fixed, and does not fire on fix_sha. Any other pattern is not credited. Raw alert counts across scanners aren’t comparable; paired scoring is.
No. Static analysis is the entry point, not the whole story. Ward is being built as evidence-backed security review infrastructure: scanner findings, witness bundles, provenance, and reviewable investigation state. The scanner is farther along than the investigation layer today.
The current comparison includes Semgrep. CodeQL is being rerun under a stricter full-corpus setup, but those runs currently take more than 24 hours and have not completed cleanly enough for us to publish a reproducible headline number. We’ll publish the exact versions, configurations, and harness details alongside the benchmark methodology.
We intend to publish the methodology, scoring harness, benchmark dates, and pinned tool configurations. We have not finalized what portion of the corpus itself will be public.
Ward is pre-release and in active development. There’s no public install today. If you want to be notified when there is, leave your email below.