Research, engineering, and honest product thinking from the scanipy team.
Most SAST tools claim determinism. We explain why "same findings" is a much weaker claim than "same SARIF", and why the difference matters when you hand results to an auditor.
Read post →How we replaced a classical α-spending function with an e-process that works under unbounded re-evaluation, and why the difference is not academic.
A walkthrough of our closed-world precondition detector and the fallback path for open-world code.
The zip-slip variant that survived a rename, a file-move, and a project restructure, thanks to a slice fingerprint.
A plain-language explainer of the two finding partitions, written for the engineering leader who just got a scanipy report.
α-renaming, PDG-only formatting normalisation, canonical topological sort, and extract/inline summary inlining, each explained with a before/after example.
How we built the SCM connector abstraction and why the conformance test suite had to come before the connectors.
Why SSRF is harder to detect than path traversal, and the IFDS spec changes that make it tractable.
Every claim in our architecture is tagged proven, empirical, staged, or not-claimed. Here is how to read it.
Parse success rate, call-edge precision/recall, PDG dependence-edge recall: the three numbers that gate a language into the Algorithm 2 benchmark.
No newsletter cadence, no growth hacking. We write when we have something to say.