Notes from the platform.
Engineering deep-dives, security research, and product updates.
Shipping fewer false positives: tuning our SAST rules
False positives erode trust faster than missed bugs. Here is how we cut noise by 62% across our static analysis rules without dropping a single true finding — the data we collected, the heuristics we added, and the rules we deleted entirely.
From Encore to Fastify: rebuilding our scanner on plain TypeScript
We tried Encore.ts. It got us moving. Then we hit deployment limits and vendor-lock concerns and migrated to Fastify + Zod + Supabase in six weeks. The migration plan, the three things that broke at cutover, and what we'd do exactly the same again.
What we found scanning our own codebase on day one
Before we let anyone else point Dockier at their repo, we pointed it at ours. 47 findings, 3 real, 1 embarrassing. The CVEs, the false positives, and the rule we wrote that night.
Detecting sensitive data without an LLM
A 320-line schema parser beats GPT-4o on PII classification — 12× faster, zero per-scan cost, no hallucinated labels. We still ship the model as a tie-breaker. Here's the breakdown of when each one wins.