Nice! Working in a similar space - will be publishing here also soon. How are you handling finding issues beyond pattern matching where deep code understanding is required?
Running security audits on open source repos with a tool we've built and reporting what I find to maintainers. Mostly infrastructure stuff — vector databases, LLM tooling, secrets managers. Been doing responsible…
Semgrep's a solid choice for this. The stuff you're catching - secrets, SQLi, weak hashing- is where pattern matching shines. The tricky part with LLM-generated code is when it's syntactically fine but semantically…
+1 on triage being the real problem. Question, when Semgrep surfaces something ambiguous, lets say a SQL query that looks parameterized but the ORDER BY is built elsewhere, what does reviewing that actually look like?…
Nice! Working in a similar space - will be publishing here also soon. How are you handling finding issues beyond pattern matching where deep code understanding is required?
Running security audits on open source repos with a tool we've built and reporting what I find to maintainers. Mostly infrastructure stuff — vector databases, LLM tooling, secrets managers. Been doing responsible…
Semgrep's a solid choice for this. The stuff you're catching - secrets, SQLi, weak hashing- is where pattern matching shines. The tricky part with LLM-generated code is when it's syntactically fine but semantically…
+1 on triage being the real problem. Question, when Semgrep surfaces something ambiguous, lets say a SQL query that looks parameterized but the ORDER BY is built elsewhere, what does reviewing that actually look like?…