Scanner deep-dive

Semgrep by Semgrep ↗

Rule-Based SAST · rule-based · scored on 25/26 repositories. Strict scoring (unfinished repos counted as misses).

19.4

F3 (strict)

19.8

F2 (strict)

19.1%

Recall (strict)

23.1%

Precision

25/26

Repos scored

—

Model

Free

Total cost

—

Avg latency

Per-repository breakdown

Each bar shows true positives, false positives, and misses on one repository; bar length is proportional to that repo's labeled vulnerabilities. Ranked by F2.

True positiveFalse positiveMissed (FN)

pythonssti56 F2 · 50%

insecure-web48 F2 · 56%

lets-be-bad-guys40 F2 · 38%

dvblab34 F2 · 36%

damn-vulnerable-flask-application31 F2 · 33%

intentionally-vulnerable-python-application30 F2 · 29%

vulnerable-api30 F2 · 29%

vulpy29 F2 · 28%

pygoat28 F2 · 32%

dsvpwa21 F2 · 19%

extremely-vulnerable-flask-app21 F2 · 19%

djangoat20 F2 · 20%

vulnpy19 F2 · 17%

vulnerable-flask-app15 F2 · 14%

owasp-web-playground14 F2 · 21%

vfapi14 F2 · 11%

threatbyte12 F2 · 12%

flask-xss12 F2 · 10%

dvpwa10 F2 · 9%

vulnerable-python-apps10 F2 · 9%

vulnerable-tornado-app8 F2 · 7%

damn-vulnerable-graphql-application6 F2 · 6%

dsvw0 F2 · 0%

python-insecure-app0 F2 · 0%

vampi0 F2 · 0%

Repository	TP	FP	FN	Recall %	F2
pythonssti	1	0	1	50.0	55.6
insecure-web	5	11	4	55.6	48.1
lets-be-bad-guys	9	8	15	37.5	39.8
dvblab	8	22	14	36.4	33.9
damn-vulnerable-flask-application	5	16	10	33.3	30.9
intentionally-vulnerable-python-application	2	3	5	28.6	30.3
vulnerable-api	4	6	10	28.6	30.3
vulpy	16	29	41	28.1	29.3
pygoat	25	108	52	32.5	28.3
dsvpwa	6	7	26	18.8	21.3
extremely-vulnerable-flask-app	6	8	26	18.8	21.1
djangoat	10	39	40	20.0	20.1
vulnpy	13	22	65	16.7	18.7
vulnerable-flask-app	3	11	18	14.3	15.3
owasp-web-playground	6	104	22	21.4	13.5
vfapi	1	0	8	11.1	13.5
threatbyte	3	14	23	11.5	12.4
flask-xss	3	1	27	10.0	12.1
dvpwa	2	8	20	9.1	10.2
vulnerable-python-apps	2	10	20	9.1	10.0
vulnerable-tornado-app	1	8	13	7.1	7.7
damn-vulnerable-graphql-application	2	7	34	5.6	6.5
dsvw	0	0	27	0.0	0.0
python-insecure-app	0	0	8	0.0	0.0
vampi	0	0	15	0.0	0.0

Detection by severity

Severity	TP	FP	FN	Recall %
Critical	41	0	41	50.0
High	44	4	212	17.2
Medium	45	1	227	16.5
Low	3	0	64	4.5

Detection by vulnerability class

CWE family	TP	FP	FN	Recall %
Insecure Deserialization	15	1	2	88.2
Code Injection / RFI	9	0	5	64.3
SQL Injection	29	3	17	63.0
HTTP Header Injection	1	0	1	50.0
Open Redirect	2	0	4	33.3
Command / OS Injection	5	0	11	31.2
Other	45	0	155	22.5
Security Misconfiguration	7	0	26	21.2
Cross-Site Scripting	15	1	65	18.8
Path Traversal	2	0	22	8.3
Server-Side Request Forgery	2	0	22	8.3
Hardcoded Credentials	1	0	58	1.7
Missing Authentication / Authorization	0	0	46	0.0
XML External Entities	0	0	7	0.0
Broken Access Control / IDOR	0	0	24	0.0
Denial of Service	0	0	20	0.0
Sensitive Data Exposure	0	0	55	0.0
XPath Injection	0	0	4	0.0

Cost

Free

Total cost

Python LOC scanned

Successful runs

← Back to the leaderboard