Secure Code Review Harnesses
Layered pipeline, false positive triage, semantic codebase memory, and approval-gated autofix.
Deterministic first, LLM last. AST, Semgrep, and CodeQL give recall cheaply and without hallucination; the LLM gives precision by judging exploitability on the filtered candidate set.
The false positive problem is an LLM triage problem. Raw scanners at scale are ~40% precision. LLM triage with cross-file context and a feedback loop shifts the curve to ~92% precision.
Single-file analysis misses cross-file taint flows. Semantic codebase memory — function-level embeddings plus the static call graph — retrieves source, sink, and sanitizer across file boundaries.
Approval is non-negotiable. LLM patches can introduce new vulnerabilities while fixing the reported one. Draft PR, human merge, always.