Tools & Scanners
Certifai uses a combination of open-source scanners and AI-powered analysis to provide comprehensive security coverage. This page describes each tool and how it contributes to the scan pipeline.
Semgrep -- Static Analysis (SAST)
Semgrep is an open-source static analysis tool that finds vulnerabilities by matching patterns in source code. It supports many languages and has an extensive rule library.
Certifai runs Semgrep with rules covering:
- OWASP Top 10 -- injection, broken authentication, XSS, insecure deserialization, and more
- General security -- insecure cryptography, hardcoded credentials, path traversal
- Language-specific -- patterns unique to Python, JavaScript, TypeScript, Rust, Go, Java, and others
Semgrep produces SAST-type findings with file paths, line numbers, and rule descriptions.
Syft -- SBOM Generation
Syft is an open-source tool for generating Software Bills of Materials. It scans your repository and identifies every dependency, including:
- Package name and version
- Package manager (npm, cargo, pip, go, maven, nuget, composer, gem)
- License information
Syft output feeds into both the SBOM feature and the vulnerability scanning pipeline.
Grype -- Vulnerability Scanning
Grype is an open-source vulnerability scanner that matches your dependencies against known vulnerability databases. It takes Syft's SBOM output and cross-references it against:
- National Vulnerability Database (NVD)
- GitHub Advisory Database
- OS-specific advisory databases
Grype produces SBOM-type findings with CVE identifiers, severity ratings, and links to advisories.
Custom OAuth Scanner
A purpose-built scanner that detects OAuth and OIDC misconfigurations in your code, including:
- Missing state parameter validation
- Insecure token storage
- Incorrect redirect URI handling
- Missing PKCE implementation
- Token exposure in logs or URLs
Custom GDPR Scanner
A scanner focused on data protection compliance, detecting:
- Personal data handling without consent checks
- Missing data retention policies
- Unencrypted PII storage
- Cross-border data transfer issues
Custom Secrets Scanner
Detects hardcoded secrets and credentials in source code:
- API keys and tokens
- Database connection strings with embedded passwords
- Private keys and certificates
- Cloud provider credentials (AWS, GCP, Azure)
LLM-Powered Code Review
Beyond rule-based scanning, Certifai uses an LLM to perform architectural and security code review. The AI reviews code patterns that are too nuanced for static rules, such as:
- Business logic flaws
- Race conditions
- Improper error handling that leaks information
- Insecure design patterns
Code review findings are marked with the Code Review type.
LLM-Powered Triage
Every finding -- regardless of which scanner produced it -- goes through AI triage. Here is how it works:
Context gathering -- the triage engine collects the finding details, the code snippet, and information from the code knowledge graph (what calls this code, what it calls, how it connects to entry points)
Severity assessment -- the LLM evaluates the finding considering:
- The vulnerability type and its typical impact
- The specific code context (is this in a test file? behind authentication? in dead code?)
- The blast radius -- how many entry points and call chains are affected, based on the code graph
Confidence scoring -- the LLM assigns a confidence score (0.0 to 1.0) indicating how certain it is about the assessment
Rationale generation -- the LLM writes a human-readable explanation of why it assigned the severity and confidence it did
Remediation guidance -- the LLM generates step-by-step fix instructions and, where possible, a suggested code fix
Learning from Feedback
When you mark findings as false positives or provide developer feedback, this information is used to improve future triage accuracy. Over time, the AI becomes better at understanding which findings are actionable in your specific codebase and which are noise.
TIP
The AI triage is a starting point, not a final verdict. Always review the rationale and code evidence before acting on a finding. See Understanding Findings for more on the human-in-the-loop workflow.