Nice! Working in a similar space - will be publishing here also soon. How are you handling finding issues beyond pattern matching where deep code understanding is required?
Running security audits on open source repos with a tool we've built and reporting what I find to maintainers. Mostly infrastructure stuff — vector
databases, LLM tooling, secrets managers. Been doing responsible
disclosure and submitting fixes which are all autogenerated. Surprisingly high acceptance rate so far, which is encouraging. Working on automating more
of the test process...
+1 on triage being the real problem. Question, when Semgrep surfaces something ambiguous, lets say a SQL query that looks parameterized but the ORDER BY is built elsewhere, what does reviewing that actually look like? I'm wondering how much context you get before needing to jump out to the codebase.