SShortSingh.
Back to feed

Hybrid AI-Static Analysis Tool BrassCoders Aims to Sharpen Python Code Security Reviews

0
·1 views

BrassCoders is a code-review tool that runs 12 static-analysis scanners across Python codebases before passing structured findings to an AI assistant, combining the precision of deterministic rules with the contextual reasoning of large language models. The tool generates a severity-sorted file containing file paths, line numbers, and remediation guidance, giving the AI a defined starting point rather than requiring it to scan code from scratch. Two 2025 research papers support this hybrid approach: one found LLMs outperformed static tools in recall but struggled with exact line-level accuracy, while another reported F1 scores above 0.91 when static-analyzer output was fed to an LLM for adjudication. In an internal benchmark, BrassCoders scanned 15 AI-generated Python files, surfaced 53 findings including 16 critical or high-severity issues, and confirmed real vulnerabilities in 9 of the 15 files. The developers argue the pre-pass approach becomes especially valuable in large codebases, where filtering thousands of raw scanner findings down to a manageable set makes AI-assisted review more practical and consistent.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Trelix grows from v1.0 to v2.7 in 13 days with knowledge graphs and agentic search

Developer tool Trelix evolved rapidly from its initial release to v2.7.0 over just thirteen days, shipping seven minor versions that transformed it from a basic code-search tool into a broader platform. Key additions included a knowledge graph built on NetworkX with Louvain community detection, which groups codebase files into architectural modules and labels them using an LLM. Retrieval expanded from three legs to seven, incorporating research-backed techniques such as RAPTOR-style file summarization and HyDE hypothetical document embeddings. A notable silent bug was also fixed in v2.7.0, where AdaptiveRouter accepted a configuration parameter but ignored it entirely, defaulting to environment variables instead. Other features added during this period include federated multi-repo search, an agentic query loop, and a GitHub Actions bot for automated PR review.

0
ProgrammingDEV Community ·

Puppetlabs Releases 24 Forge Modules in June 2026, Including New Windows Security Tool

Puppetlabs shipped 24 module updates to the Puppet Forge in June 2026, highlighted by a brand-new security_policy module for managing Windows local security policies via the Puppet Resource API. The new module replaces manual tools like secedit and covers all 45 Windows Privilege Rights along with System Access settings. A broad maintenance pass updated 15 modules — including apache, mysql, and postgresql — to loosen their stdlib dependency constraints, enabling compatibility with the newly released stdlib 10.x. Several modules, such as accounts, java, and postgresql, also dropped Puppet 7 support as part of a Puppet 8 alignment effort ahead of Puppet 7 reaching end-of-life. Additionally, Security Compliance Management 3.8.0 patched approximately 40 CVEs across bundled third-party components and updated its CIS-CAT Pro Assessor to add new STIG benchmarks for platforms including RHEL 10 and Amazon Linux 2023.

0
ProgrammingDEV Community ·

Non-Jailbreak iOS GPS Spoofing App Gains Traction Among Developers

A JavaScript-based iOS app called iOS Location Spoofer allows users to manipulate GPS data on non-jailbroken devices, attracting over 1,800 stars on GitHub. The app integrates modules such as Shadowrocket and Surge, enabling proxy capabilities alongside location spoofing without requiring users to compromise device security through jailbreaking. While its non-jailbroken approach preserves iOS sandboxing and device integrity, the use of JavaScript introduces performance overhead compared to native alternatives. Security experts and developers raise concerns about potential misuse, particularly for location-dependent services like ride-hailing apps that rely on accurate GPS data. Broader ethical and legal questions also loom, including whether Apple will move to block such tools as location data grows increasingly critical across industries.