Finding-delta
17 samples · languages docker-compose, dockerfile, java, javascript, kubernetes, python, terraform · 11 high/critical identities
- Oracle miss
- 0.0%≤ 5.0%
- Prod ↔ direct Jaccard
- 0.0%≤ 5.0%
OWASP categories covered: A01:2021, A02:2021, A03:2021, A05:2021, A07:2021, A08:2021, A10:2021 (min 6)
Twin F1
Safe/vulnerable twin corpus gated in CI (min F1 0.9).
F1 100.0%P 100.0% · R 100.0% · goldens 10/10
Industry benchmark-lite
OWASP Benchmark–inspired mini corpus (12 cases) — not the full OWASP/Juliet suites.
- TPR
- 100.0%
- FPR
- 0.0%
- Score
- 1.000≥ 0.7
Analyze latency
Single-file full-scan microbench (29 runs).
- p50
- 54 ms
- p95
- 427 ms≤ 5000 ms
- max
- 715 ms
SLOs
- POST /api/analyze p95 latencymeasured
≤ 5000 ms (full mode, single-file)
Microbench on finding-delta + industry corpora (P4h); also exposed via /api/analyze/metrics.
- Finding-delta oracle missmeasured
≤ 5%
- Production ↔ direct Jaccard distancemeasured
≤ 5%
- Safe/vulnerable twin F1declared
≥ 0.90
Enforced by nightly sast-eval workflow.
- Industry benchmark-lite score (TPR − FPR)measured
≥ 0.70 (TPR ≥ 0.85, FPR ≤ 0.20)
OWASP Benchmark–inspired mini corpus; not the full OWASP/Juliet suites.
Machine-readable: /analyzer/sast-trust-report.json
Corpus: tests/static-analyzer/finding-delta/corpus.json
Analyze API docs: /docs