Scanipy is a small team building the first static analysis tool engineers stop arguing with.
Every team we'd ever worked on had the same security-scanner story. A tool ships a thousand findings. The team triages a hundred. Half of them disappear next quarter when the vendor “improves the rules.” A new release introduces a hundred new alerts on code nobody touched. The auditor asks how a finding was derived; the team shrugs.
We were the team. We got tired of it.
Scanipy began as a CLI in 2023: a Python wrapper that drove Semgrep and CodeQL with a single config and a stricter result schema. By the time it had found CVE-2025-61765 in the wild, it had become something else: an architecture for static analysis as a reproducible, attestable function of source code. Same code in, same findings out. Every time, every commit, every team.
We're a remote team. We write our own results. And we charge for the attestor, not for the analysis.
A clever finding you can't reproduce is a liability. We'd rather ship a slightly smaller catalogue with a theorem than a giant one with a shrug.
Every finding declares what it can defend. We never tag a result with a guarantee it hasn't earned.
Language models triage and propose specs. They never delete a finding, never sit on the detection path. Determinism is non-negotiable.
A finding without a path through your code is a guess. Every taint-style result ships with the exact trace that produced it.
Compliance shouldn't be a fight. The provenance record is signed, machine-checkable, and complete enough to verify a finding without re-running the scan.
Everything we ship can be re-derived. Everything we charge for is at the edges: compliance, attestation, scale. Never the core.
We hire for taste, rigour, and the willingness to say “we don't know” out loud.