Posts by tag 'engineering'

Sep 19, 2025 · Kunal Singh

Diff-based SCA with AI is Broken — Real Examples from Pipfile.lock, yarn.lock, and Cargo.lock

Diff-based Software Composition Analysis (SCA) scanners in pull requests are prone to blind spots. By relying only on git diff data, they miss package context, suffer from nondeterministic rearrangements, and can be trivially bypassed—leaving vulnerabilities undetected.