-
This is actually impressive results from using LLMs to perform security scans on an existing codebase. Daniel Stenberg of curl has given the results of this work a thumbs-up: https://mastodon.social/@bagder/115241241075258997
My general summary is as follows:
Multiple AI-native SASTs are already on the market, ready to use today. They work extremely well. They find real vulnerabilities and logic bugs in minutes. They can “think”/”reason” about business logic issues. They can match developer intent with actual code. They aren’t based on static rule-sets and queries. They have low false positive rates. They’re cheap (for now). My results showed that (in order of success), ZeroPath, Corgea, and Almanax, are the top three products on the market right now. I did not test DryRun.These tools look superb.
Tags: ai curl tools llm vulnerabilities chatgpt zeropath corgea almanax dryrun taint-checking code-review code-analysis static-analyzers security