Blog

Insights on application security, static analysis, and building tools that developers actually want to use

5 articles

Latest Article

case studyflaskdead codepythonbenchmarks

Case study: Finding dead code in Flask (69k stars)

We ran Skylos and Vulture on the Flask repository. Skylos found all 7 dead items with 12 false positives. Vulture found 6 but produced 260 false positives. Here's the full breakdown.

2 min read
Read article

More Articles

securitydead code

Dead code isn't just technical debt—it's a security liability

Every line of unused code in your codebase is a potential vulnerability waiting to be exploited. Here's why dead code matters for security teams, and what to do about it.

2 min
Read
engineeringcode-review

Surviving the AI PR Tsunami

AI generates code instantly. Humans review at 10 lines per minute. The math doesn't work anymore. Here is why the 'LGTM' culture is destroying quality and how to automate the 'Verify' step.

2 min
Read
securitysast

AI-generated code is shipping vulnerabilities

LLMs write code fast. The problem? It is not safe. Here is why AI-generated code fails security checks, the most common vulnerability patterns, and how to detect them with SAST and agentic verification.

2 min
Read
securitysast

Why SAST tools drown teams in false positives (and what actually works)

Static Application Security Testing (SAST) is supposed to catch vulnerabilities before they ship. In practice? Most teams end up ignoring it.

1 min
Read