Blog

Lovable spent 2025 turning security into a brand. Then a free account read everyone's chats, credentials, and code. Their response: That is intentional behaviour.

Anthropic's Mythos weaponised the "Won't Fix" backlog. Here's why chain disruption and not faster patching is the only defence that scales.

Six things make vibe coding production-ready: secret scanning, dependency verification, API-level auth testing, semantic analysis for business logic, automated scanning on every push, and security headers. Here's exactly how to set each one up.

We tested 15 security scanners on 796 real vulnerabilities in 26 Python repos. SAST tools like Semgrep and Snyk caught less than 18%. LLMs like Claude Sonnet 4.6 caught 50%. Kolega.Dev caught 81%. All data, scoring code, and results are open-source at realvuln.kolega.dev.

45% of AI-generated code fails security tests. These 8 vulnerability patterns keep shipping in vibe-coded apps - and your SAST tools miss most of them.

On March 19, a routine Trivy scan stole your cloud credentials. Here's the full TeamPCP attack chain, why every detection tool missed it, and what to fix today.

Demo Day celebrated 95% AI-generated codebases. But 45% of AI code fails security tests, and traditional SAST can't catch it. Here's the math they skipped.

There’s a question nobody in security tooling answers cleanly: how do you know your tool would actually catch real-world vulnerabilities?

This started as a mission to fix agentic AI security. It ended somewhere I didn't expect.

We scored +87.4% on OWASP's industry-standard security benchmark — more than 2x higher than the next best tool. Here's the full breakdown with methodology and raw results.

Snyk built a vulnerable Scala app to show off their security scanner. We ran it through five tools. Only one found the planted vulnerability. It wasn't Snyk.

When SAST tools generate 87% noise and miss the critical vulnerabilities entirely, your SOC 2 audit trail only proves you ran a process - not that your code is secure. The gap between compliance paperwork and actual security is widening at AI speed, and the breaches have already started.

Most automated security reports get ignored. We got 90.24% of ours accepted by doing what most tools skip: actually reading the code, understanding the architecture, and submitting fixes specific enough to merge without back-and-forth

Millions of programmers send out code that they don't understand. 40% to 62% of it has security holes that can be used. The breaches have already begun.

Traditional SAST tools have an 87% false positive rate - we proved it across 10 repositories and 1,183 findings. Meanwhile, real vulnerabilities slip through because pattern matching can't understand what code actually does.

Semgrep scanned NocoDB and flagged 222 issues but missed the critical SQL injection in the Oracle client - 17 injection points across one file, invisible to pattern matching because the code sat inside a query builder context. It's the clearest example of why semantic analysis catches what SAST can't.

Development velocity has never been higher, yet security often trails behind. In every major project we assessed, we identified significant vulnerabilities that conventional security tools simply overlooked.

Your SAST tool found 120 problems. Your team spent 20 hours sorting things out. You fixed 15 real problems. This is the problem of alert fatigue, but there is a way to fix it.

We used kolega.dev on 45 open source projects. These weren't just random GitHub repos; but mature projects, worked on and used by real users. Langfuse, Qdrant, NocoDB, Phase, Cloudreve, Agenta and Weaviate are all examples. We found 225 security holes in those 45 projects. So far, maintainers have reviewed 41 of our reports. Over 90% fix acceptance rate.

Your SAST tool found 1,183 problems. There are only 153 real ones. There is a better way.