How Scanning Works
How Secbez finds real vulnerabilities using pattern detection, AI analysis, and adversarial validation with low false positives.
When Secbez scans your code, it uses a multi-layered approach to find real vulnerabilities while minimizing false positives.
Detection layers
Pattern-based scanning
The first pass uses deterministic pattern matching to identify common vulnerability signatures — SQL injection patterns, XSS vectors, hardcoded secrets, insecure API usage, and more. These detections are fast and reliable.
AI-powered analysis
For vulnerability categories that require understanding code context — like broken access control, IDOR, and business logic flaws — Secbez uses AI agents that analyze your code across multiple files to understand data flow, authentication patterns, and authorization logic.
Adversarial validation
Before any finding reaches your dashboard, it goes through an adversarial debate process. One agent argues the vulnerability is real (attacker), another argues it's a false positive (defender), and a judge weighs the evidence. Only findings that survive this process are confirmed.
Code graph analysis
Secbez builds a code graph of your repository that maps relationships between functions, files, and modules. This enables:
- Cross-file analysis: Understanding how data flows between files
- Route reachability: Determining whether vulnerable code is actually reachable from HTTP endpoints
- Auth chain verification: Checking whether authentication and authorization middleware protect sensitive endpoints
The code graph supports JavaScript, TypeScript, Python, Go, Rust, Java, and C++.
What happens after scanning
Once analysis is complete:
- Findings are deduplicated and normalized
- Each finding is assigned a severity and confidence score
- Existing (baseline) findings are identified and separated from new ones
- A policy decision determines whether the check should pass, warn, or fail
- Results are posted to GitHub and your dashboard