Investigate AI security scanners for React on Rails

[alexeyr-ci2]

https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters is a success report of using AI-native security scanners to find bugs in well-tested applications like curl. From the preface:

If you’re a technology company wanting to find vulnerabilities, bugs, and mismatch between developer intent and real code, you should probably get one of these because they can easily scan the code you haven’t looked at for years, while catching vulnerabilities when new code is authored into the codebases. At the moment, prices are cheap, and I can only imagine that they’ll go up in the future, so it’s a perfect time to take full advantage of the AI bubble.

My general summary is as follows:

• Multiple AI-native SASTs are already on the market, ready to use today.
• They work extremely well.
• They find real vulnerabilities and logic bugs in minutes.
• They can “think”/”reason” about business logic issues.
• They can match developer intent with actual code.
• They aren’t based on static rule-sets and queries.
• They have low false positive rates.
• They’re cheap (for now).
• My results showed that (in order of success for finding vulnerabilities), ZeroPath, Corgea, and Almanax, are the top three products on the market right now. I did not test DryRun. However, all three products have different functions and can solve different problems, so I would recommend testing all of them if you can. If you’re looking for an AI-based security scanner that can find some incredible vulnerabilities, business logic bugs, reachable vulnerabilities in dependencies (i.e. SCA analysis), then ZeroPath seems to be the best option.

Proposal:

• See if any of them apply well to Ruby and/or TypeScript parts of ROR and RORP (limit to free plans for now).
• If we find anything useful, fix (other than already-known use of outdated vm2 library, at least).
• Possibly set up scans for future problems in CI.

Blocked by #2019.