--- title: Adversarial SAST emoji: πŸ›‘οΈ colorFrom: red colorTo: gray sdk: gradio sdk_version: "6.19.0" python_version: "3.12" app_file: app.py pinned: true license: mit short_description: Adversarial SAST β€” false positives die on screen --- # πŸ›‘οΈ Adversarial SAST β€” the false positive dies on screen LLM security review has one fatal flaw: **noise**. Ask a model to "find the vulnerabilities" and it flags SQL injections on already-parameterized queries, XSS on dead code, bugs that aren't reachable. The real findings drown in false positives, and you learn to ignore all of them. This Space fixes that with a **two-stage adversarial pass**: 1. **Detect** β€” a code model lists candidate vulnerabilities, deliberately broad. 2. **Refute** β€” for *each* candidate, a skeptical pass tries to **break it**: is there a concrete input that exploits it, or is it neutralized (validated input, dead code, a guard)? > **What survives the attack is real.** Confirmed findings come with a proof-of-concept; everything > refuted is dropped. ## The toggle is the demo **Verify OFF** shows the raw detector β€” a long list, false positives included. **Verify ON** runs the refutation and the noise dies on screen. The default example hides one false positive (a `SELECT` built from a value already cast to `int`) right next to a real bug (a shell command built from raw input): only the real one survives, with its PoC. ## How it works - **Snippet tab** β€” [Qwen2.5-Coder-7B-Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-7B-Instruct) on **ZeroGPU** (H200), with [Outlines](https://github.com/dottxt-ai/outlines) constraining the output to a JSON schema (`Candidate` / `Verdict`) β€” always machine-readable. - **Whole-repo, split by model size, both via HF Inference** β€” detection on [Qwen3-Coder-480B-A35B-Instruct](https://huggingface.co/Qwen/Qwen3-Coder-480B-A35B-Instruct): a whole-file view follows a long sourceβ†’sink data-flow (an injection can be ~200 lines from its sink) the small model misses. Refutation on **Qwen2.5-Coder-32B** over a **bounded, line-numbered window** around each candidate: it must *credit* real sanitization (prepared statements, allow-lists, casts) to drop false positives β€” a 7B refuter can't and confirms almost everything β€” while not being fooled by `file_exists`/`isset` guards (which don't stop an LFI). Both stages off-GPU, so a whole-repo scan has no length limit. Paste any snippet, pick the language, audit. All example code is fictional and **intentionally vulnerable** β€” it's the test set. This is a **defensive / educational** demo, not a production scanner. ## About Built by **[Ferr0](https://huggingface.co/Ferr0)** β€” infra-minded AI: local LLM inference, structured generation & tool-calling, offline RAG, defensive AI security. More at **[pixelium.win](https://pixelium.win)** Β· **[GitHub](https://github.com/ferr079)**. License: MIT.