Files

T

Antigravity Agent 504fd5fb42 [G1-Sync] Manual knowledge update

2026-05-10 22:08:15 +09:00

7.0 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

DeepCode AI (Snyk Code)

매 한 줄

"매 LLM 의 X — 매 symbolic + neural 의 결합". 매 25M+ data flow + 매 19+ language. 매 interfile analysis. 매 commit-based 의 verified fix pattern. 매 modern hybrid 의 example (vs LLM-only Corgea).

매 핵심 differentiator

Hybrid AI (vs LLM-only)

매 symbolic reasoning + 매 NN.
매 semantic representation 의 build.
매 hallucination ↓.
매 interpretable.

Interfile dataflow

매 file boundary 의 cross.
매 multi-module vulnerability 의 catch.

Commit-based fix pattern

매 OSS 의 actual fix commits 의 학습.
매 verified pattern.
매 LLM hallucination 의 avoid.

매 history

매 2017 ETH spinoff (DeepCode).
매 2020 Snyk 의 acquire.
매 2024 DeepCode AI Fix.

매 Snyk 의 stack

Snyk Code (DeepCode-powered SAST).
Snyk Open Source (SCA).
Snyk Container (image scan).
Snyk IaC (Terraform / K8s).

매 vs alternative

Tool	Approach	Strength
Snyk Code (DeepCode)	Hybrid neuro-symbolic	Verified fix + low FP
Corgea	LLM-native	Business logic + autofix
Semgrep	Pattern + custom	Speed + control
SonarQube	Rule-based + AI	Quality gate
GitHub Advanced	Code scanning + Copilot Autofix	GitHub integration

매 limitation

매 LLM-native 의 emerging features (Corgea) 의 less.
매 enterprise SaaS pricing.
매 language-specific depth varies.

💻 패턴 (응용 — Snyk integration)

CLI scan

npm install -g snyk
snyk auth
snyk code test                  # 매 SAST
snyk code test --json           # 매 JSON output
snyk code test --severity-threshold=high

CI integration

- name: Snyk Code
  uses: snyk/actions/node@master
  env: { SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} }
  with:
    command: code test
    args: --severity-threshold=high --sarif-file-output=snyk-code.sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with: { sarif_file: snyk-code.sarif }

IDE integration

- VS Code: Snyk Security extension.
- IntelliJ / WebStorm: Snyk plugin.
- 매 inline 의 finding + fix 의 click.

DeepCode AI Fix workflow

1. Vulnerability detected (e.g., SQL injection).
2. AI Fix 의 verified pattern 의 retrieve.
3. PR comment 의 diff 의 propose.
4. Developer 의 review + merge.
5. Snyk 의 re-test 의 confirm fix.

Multi-tool layered security

security_pipeline:
  pre_commit:
    - gitleaks  # 매 secret
  
  pr:
    - snyk_code  # 매 SAST (DeepCode)
    - snyk_open_source  # 매 SCA (CVE)
    - semgrep  # 매 custom rule
    - corgea  # 매 LLM-native (optional, parallel)
  
  pre_deploy:
    - snyk_container  # 매 image
    - cosign  # 매 sign
  
  runtime:
    - falco

Custom rule (Snyk + Semgrep complementary)

# 매 .snyk policy
ignore:
  'SNYK-CC-K8S-1':
    - '*':
        reason: 'Internal dev cluster — non-prod'
        expires: '2026-12-31T00:00:00Z'

# 매 semgrep for org-specific
rules:
  - id: internal-deprecated-api
    pattern: oldClient.deprecatedMethod(...)
    message: Use newClient instead.
    severity: WARNING

Vulnerability triage

def triage_findings(snyk_findings):
    triaged = []
    for f in snyk_findings:
        priority = (
            f['severity_score'] *
            f['exploit_maturity_factor'] *  # 매 0.5-2
            f['reachability_factor']         # 매 0.3-1.5
        )
        triaged.append({
            **f,
            'priority': priority,
            'sla_hours': sla_for_severity(f['severity']),
        })
    return sorted(triaged, key=lambda x: -x['priority'])

Auto-fix verification

def verify_fix(original_code, ai_proposed_fix):
    # 매 1. syntax check
    if not parses_correctly(ai_proposed_fix): return 'invalid syntax'
    
    # 매 2. test still passes
    if not run_tests(ai_proposed_fix): return 'tests fail'
    
    # 매 3. vulnerability resolved
    if scan(ai_proposed_fix).has_vuln: return 'vuln remains'
    
    # 매 4. no new vuln introduced
    new_vulns = set(scan(ai_proposed_fix).vulns) - set(scan(original_code).vulns)
    if new_vulns: return f'introduces new: {new_vulns}'
    
    return 'verified'

SARIF (standard output)

import json

def parse_sarif(sarif_file):
    with open(sarif_file) as f:
        data = json.load(f)
    
    findings = []
    for run in data['runs']:
        for result in run['results']:
            findings.append({
                'rule': result['ruleId'],
                'severity': result['level'],
                'message': result['message']['text'],
                'file': result['locations'][0]['physicalLocation']['artifactLocation']['uri'],
                'line': result['locations'][0]['physicalLocation']['region']['startLine'],
            })
    return findings

Suppress false positives

// 매 Snyk 의 inline ignore
function safe_html(input) {
  // snyk-ignore: javascript/xss — 매 input 의 sanitized at boundary
  return `<div>${input}</div>`;
}

매 결정 기준

상황	Tool
Mid-large + budget	Snyk Code (DeepCode)
AI-native focus	Corgea
Custom rules speed	Semgrep
Open-source self-host	SemGrep
GitHub native	GitHub Advanced Security
Enterprise compliance	Veracode / Checkmarx

기본값: 매 Snyk + Semgrep complementary.

🔗 Graph

부모: SAST · DevSecOps
변형: Snyk-Code · Symbolic-AI · Hybrid-AI · Neuro-Symbolic-AI
응용: Corgea · Semgrep · SonarQube · CI_CD 파이프라인 및 IDE 통합 보안
Adjacent: AI 코드 리뷰 및 보안 취약점 점검(DevSecOps) · Custom-ESLint-Rules-Development · CodeScene · AI 생성 코드 검증(AI Code Assurance)

🤖 LLM 활용

언제: 매 enterprise SAST. 매 multi-language. 매 verified autofix. 언제 X: 매 budget-tight (Semgrep). 매 air-gapped.

❌ 안티패턴

Single tool: 매 layered defense X.
No triage: 매 alert fatigue.
AI Fix 의 blind merge: 매 verify 의 still 필요.
No SARIF integration: 매 dashboard 의 single source X.

🧪 검증 / 중복

Verified (Snyk docs, DeepCode papers, ETH spinoff history).
신뢰도 B.
Related: Corgea · CI_CD 파이프라인 및 IDE 통합 보안 · Custom-ESLint-Rules-Development · CodeScene.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — neuro-symbolic + 매 CI / SARIF / triage / verify code

7.0 KiB Raw Blame History