Jokalala Analyzer

SAST trust report

Published eval gates for the production engine — measured on an open corpus, CI-enforced every night.

Snapshot 2026-07-13 · enhanced-static-analyzer-v2 · gates passing

Finding-delta

17 samples · languages docker-compose, dockerfile, java, javascript, kubernetes, python, terraform · 11 high/critical identities

Oracle miss
0.0%5.0%
Prod ↔ direct Jaccard
0.0%5.0%

OWASP categories covered: A01:2021, A02:2021, A03:2021, A05:2021, A07:2021, A08:2021, A10:2021 (min 6)

Twin F1

Safe/vulnerable twin corpus gated in CI (min F1 0.9).

F1 100.0%P 100.0% · R 100.0% · goldens 10/10

Industry benchmark-lite

OWASP Benchmark–inspired mini corpus (12 cases) — not the full OWASP/Juliet suites.

TPR
100.0%
FPR
0.0%
Score
1.0000.7

Analyze latency

Single-file full-scan microbench (29 runs).

p50
54 ms
p95
427 ms5000 ms
max
715 ms

SLOs

  • POST /api/analyze p95 latencymeasured

    ≤ 5000 ms (full mode, single-file)

    Microbench on finding-delta + industry corpora (P4h); also exposed via /api/analyze/metrics.

  • Finding-delta oracle missmeasured

    ≤ 5%

  • Production ↔ direct Jaccard distancemeasured

    ≤ 5%

  • Safe/vulnerable twin F1declared

    ≥ 0.90

    Enforced by nightly sast-eval workflow.

  • Industry benchmark-lite score (TPR − FPR)measured

    ≥ 0.70 (TPR ≥ 0.85, FPR ≤ 0.20)

    OWASP Benchmark–inspired mini corpus; not the full OWASP/Juliet suites.

Machine-readable: /analyzer/sast-trust-report.json

Corpus: tests/static-analyzer/finding-delta/corpus.json

Analyze API docs: /docs

SAST Trust Report | Jokalala | Jokalala