Engines
Static Engine
The static analysis engine uses industry-standard tools to detect security vulnerabilities and code quality issues:
- Semgrep: Security-focused pattern matching for multiple languages
- ESLint: JavaScript/TypeScript linting and best practices
- Bandit: Python security linter
Static analysis runs locally and is fast (typically 1-3 seconds). It catches common vulnerabilities, anti-patterns, and code quality issues without requiring code execution.
LLM Engine
The LLM reasoning engine uses AI models (GPT-4o-mini, Claude 4o-mini) to understand code context, intent, and potential edge cases that static analysis might miss.
LLM analysis provides:
- Context-aware vulnerability detection
- Code intent analysis
- Fix suggestions with before/after examples
- Explanation of why certain patterns are risky
LLM analysis runs in the cloud and takes 2-5 seconds. It's available in PRO and PRO+ plans.
Supply Chain
Supply chain scanning checks your dependencies for:
- Known vulnerabilities (CVEs)
- License compliance
- Outdated packages
- Malicious packages
Supply chain checks use vulnerability databases and license scanners to ensure your dependencies are safe and compliant.
License Scanning
License scanning identifies the licenses of all dependencies and checks them against your policy's allowed/denied license lists.
Configure license rules in your policy.yaml:
dependency:
allow_licenses: ["MIT", "Apache-2.0"]
deny_licenses: ["GPL-3.0"]Combining engines into TrustScore
TrustScore is calculated by combining the results from all engines:
The final TrustScore is a weighted average that prioritizes security findings. Critical security issues have a larger impact on the final score than minor quality issues.