Skip to main content

Security Tools

diffray integrates industry-leading security tools to provide comprehensive, multi-layered security analysis. Rather than relying solely on AI pattern matching, we combine specialized security scanners with AI interpretation to deliver accurate, actionable findings.

Why External Security Tools?

AI models are excellent at understanding code context and reasoning about complex patterns, but they can miss subtle security issues that specialized tools are designed to catch. Our approach combines the best of both worlds:

ApproachStrengthsLimitations
AI-onlyContext awareness, reasoningMay miss edge cases, false negatives
Tools-onlyPrecise detection, low false negativesHigh false positives, no context
AI + ToolsAccurate detection + intelligent filteringBest of both approaches

By running specialized security tools and having AI interpret and validate the results, we achieve:

  • Higher detection rates — tools catch issues AI might miss
  • Lower false positives — AI filters out irrelevant findings
  • Better context — AI explains why an issue matters in your codebase
  • Actionable remediation — AI provides specific fix suggestions

TruffleHog — Secrets Detection

TruffleHog is an open-source secrets scanner that detects leaked credentials, API keys, and sensitive data in your code.

What It Detects

  • AWS access keys and secret keys
  • GitHub tokens (classic and fine-grained)
  • Private keys (RSA, DSA, EC, OpenSSH)
  • Database connection strings
  • API keys for 700+ services
  • JWT tokens and session secrets
  • Cloud provider credentials (GCP, Azure, etc.)

How It Works

TruffleHog scans your git history and changed files using:

  1. Regex patterns — matches known credential formats
  2. Entropy analysis — detects high-entropy strings that look like secrets
  3. Verification — attempts to verify if detected secrets are active (when safe to do so)

AI Enhancement

When TruffleHog finds a potential secret, AI:

  • Validates the finding — confirms it's a real credential, not a false positive
  • Assesses severity — determines if it's a test key, example, or production credential
  • Provides context — explains where the secret is used and the potential impact
  • Suggests remediation — recommends how to rotate and secure the credential

Semgrep — Static Analysis

Semgrep is a fast, open-source static analysis tool that finds bugs, security vulnerabilities, and code quality issues using semantic pattern matching.

What It Detects

  • Injection vulnerabilities — SQL injection, command injection, XSS
  • Authentication issues — hardcoded passwords, weak crypto
  • Insecure configurations — debug mode enabled, CORS misconfigurations
  • Code quality problems — null pointer dereferences, resource leaks
  • Framework-specific issues — React, Django, Spring, Express patterns

Supported Languages

Semgrep supports 30+ languages including:

  • TypeScript / JavaScript
  • Python
  • Go
  • Java / Kotlin
  • Ruby
  • PHP
  • C / C++
  • Rust
  • Swift
  • And many more

How It Works

Semgrep uses semantic pattern matching that understands code structure:

# This pattern matches SQL injection regardless of variable names
cursor.execute("SELECT * FROM users WHERE id = " + $USER_INPUT)

Unlike regex-based tools, Semgrep understands:

  • Variable scoping and data flow
  • Function calls across files
  • Language-specific semantics

AI Enhancement

When Semgrep reports an issue, AI:

  • Validates relevance — checks if the finding applies to your specific code
  • Reduces noise — filters out false positives based on context
  • Prioritizes severity — ranks issues by actual risk in your codebase
  • Explains the vulnerability — describes how the issue could be exploited
  • Provides fixes — suggests specific code changes with examples

The AI + Tools Pipeline

Here's how security tools integrate into the review pipeline:

1. PR Changes Detected

2. TruffleHog scans for secrets (only new changes)

3. Semgrep runs static analysis (only new issues)

4. AI receives tool output + code context

5. AI validates, filters, and enriches findings

6. Final report with actionable issues

Key Benefits

Differential scanning — Tools only analyze changes introduced in the PR, not the entire codebase. This means:

  • Fast scan times (seconds, not minutes)
  • No noise from pre-existing issues
  • Focus on what the PR actually changes

AI validation — Every tool finding is reviewed by AI before being reported:

  • False positives are filtered out
  • Context-specific severity is assigned
  • Clear remediation guidance is provided

Unified reporting — All findings (AI-detected + tool-detected) appear in a single, organized review comment with consistent formatting and prioritization.

Configuration

Security tools run automatically on every PR. No configuration required.

To disable specific security checks, add rule exclusions in your .diffray/config.yaml:

rules:
  exclude:
    - sec_secrets_scan      # Disable TruffleHog scanning
    - sec_semgrep_scan      # Disable Semgrep scanning

Privacy and Security

  • No data sent externally — All tools run locally in the ephemeral review environment
  • No cloud services — TruffleHog and Semgrep run entirely on our infrastructure
  • Code deleted after review — The environment is destroyed after each review
  • Open source tools — Both tools are open source and auditable

The result? Comprehensive security coverage that catches both obvious issues (leaked API keys) and subtle vulnerabilities (injection attacks) — with AI providing the context and guidance needed to fix them quickly.