Comment by the_harpia_io
21 days ago
The Trivy + Grype combo is interesting - in my experience they catch different things, especially on container scanning vs dependencies. You see them disagree much on severity?
Re: the vibe coding angle - the thing I keep running into is that standard scanners are tuned for human-written code patterns. Claude code is structurally different. More verbose, weirdly sparse on the explicit error handling that would normally trigger SAST rules. Auth code especially - it looks textbook correct and passes static analysis fine, but edge cases are where it falls apart. Token validation that works great except for malformed inputs, auth checks that miss specific header combinations, that kind of thing.
The policy engine sounds flexible enough that people could add custom rules for AI-specific patterns? That'd be the killer feature tbh.
I am totally thinking about adding this so you can connect to an API or use self hosted models that run in a container if you have the resources!!!! You are spot on.
makes sense - if folks can bring their own model, they can fine-tune detection for whatever code patterns matter to them. the auth edge cases I mentioned (malformed token handling, middleware ordering) would be way easier to catch with a model trained on actual vulnerable examples than trying to write regex rules for every variant.