detection rates on a curated vulnerability corpus.
90%
true positive rate
18/20
patterns detected
0
harmful false positives
methodology
20-pattern curated js/node vulnerability corpus. each file targets one specific vulnerability class. severity gates validated separately: the corpus scores 0/100 grade F because it contains critical findings.
missed patterns
SEC-008supabase service_role pattern mismatch (caught under SB-004)
regex-based pattern matching, not AST or control flow analysis. catches specific high-signal vulnerability patterns. does not claim general-purpose SAST coverage. js/ts only in v1.