Scanner deep-dive

Snyk Code by Snyk ↗

Rule-Based SAST · pattern+flow · scored on 25/26 repositories. Strict scoring (unfinished repos counted as misses).

18.0

F3 (strict)

18.8

F2 (strict)

17.2%

Recall (strict)

29.9%

Precision

25/26

Repos scored

—

Model

Free

Total cost

—

Avg latency

Per-repository breakdown

Each bar shows true positives, false positives, and misses on one repository; bar length is proportional to that repo's labeled vulnerabilities. Ranked by F2.

True positiveFalse positiveMissed (FN)

insecure-web60 F2 · 56%

intentionally-vulnerable-python-application57 F2 · 57%

pythonssti50 F2 · 50%

pygoat38 F2 · 40%

dvblab38 F2 · 36%

lets-be-bad-guys38 F2 · 33%

damn-vulnerable-flask-application30 F2 · 27%

dsvw29 F2 · 26%

vulnerable-flask-app26 F2 · 24%

djangoat20 F2 · 18%

extremely-vulnerable-flask-app18 F2 · 16%

vulnerable-api17 F2 · 14%

python-insecure-app14 F2 · 12%

vulpy14 F2 · 12%

threatbyte13 F2 · 12%

vfapi12 F2 · 11%

vulnpy12 F2 · 10%

dsvpwa11 F2 · 9%

vulnerable-python-apps10 F2 · 9%

owasp-web-playground9 F2 · 14%

dvpwa6 F2 · 5%

flask-xss4 F2 · 3%

damn-vulnerable-graphql-application0 F2 · 0%

vampi0 F2 · 0%

vulnerable-tornado-app0 F2 · 0%

Repository	TP	FP	FN	Recall %	F2
insecure-web	5	1	4	55.6	59.5
intentionally-vulnerable-python-application	4	3	3	57.1	57.1
pythonssti	1	1	1	50.0	50.0
pygoat	31	65	46	40.3	38.4
dvblab	8	10	14	36.4	37.7
lets-be-bad-guys	8	2	16	33.3	37.7
damn-vulnerable-flask-application	4	2	11	26.7	30.3
dsvw	7	6	20	25.9	28.9
vulnerable-flask-app	5	8	16	23.8	25.8
djangoat	9	17	41	18.0	19.9
extremely-vulnerable-flask-app	5	3	27	15.6	18.4
vulnerable-api	2	1	12	14.3	16.9
python-insecure-app	1	2	7	12.5	14.3
vulpy	7	13	50	12.3	14.1
threatbyte	3	5	23	11.5	13.4
vfapi	1	3	8	11.1	12.5
vulnpy	8	3	70	10.3	12.4
dsvpwa	3	4	29	9.4	11.1
vulnerable-python-apps	2	9	20	9.1	10.1
owasp-web-playground	4	114	24	14.3	8.7
dvpwa	1	0	21	4.5	5.6
flask-xss	1	1	29	3.3	4.1
damn-vulnerable-graphql-application	0	5	36	0.0	0.0
vampi	0	3	15	0.0	0.0
vulnerable-tornado-app	0	0	14	0.0	0.0

Detection by severity

Severity	TP	FP	FN	Recall %
Critical	30	0	52	36.6
High	40	3	216	15.6
Medium	46	1	226	16.9
Low	4	0	63	6.0

Detection by vulnerability class

CWE family	TP	FP	FN	Recall %
Code Injection / RFI	9	0	5	64.3
Insecure Deserialization	9	0	8	52.9
Open Redirect	3	0	3	50.0
XML External Entities	3	2	4	42.9
SQL Injection	14	0	32	30.4
Security Misconfiguration	9	0	24	27.3
Command / OS Injection	4	1	12	25.0
Cross-Site Scripting	19	0	61	23.8
Hardcoded Credentials	13	1	46	22.0
Path Traversal	5	0	19	20.8
Other	29	0	171	14.5
Server-Side Request Forgery	3	0	21	12.5
Missing Authentication / Authorization	0	0	46	0.0
Broken Access Control / IDOR	0	0	24	0.0
Denial of Service	0	0	20	0.0
Sensitive Data Exposure	0	0	55	0.0
HTTP Header Injection	0	0	2	0.0
XPath Injection	0	0	4	0.0

Cost

Free

Total cost

Python LOC scanned

Successful runs

← Back to the leaderboard