Compare Tools
Choose tools
Select up to four tools at a time.
Selected: 4 / 4
You reached the limit. Remove one tool to add another.
Radar: four measured signals
Manual Rank
Horusec
Manual CVE_R
12.7%
OWASP F1
49.0%
Approx.FP: 28.6%Over-claim: 80.4%Speed: Roughly 5-15 min depending on project size
Manual Rank
CodeQL
Manual CVE_R
6.7%
OWASP F1
79.8%
Approx.FP: 45.5%Over-claim: 92.1%Speed: Long runs (Semgrep 230-274s, CodeQL queries may reach 24h)
Manual Rank
Insider
Manual CVE_R
2.4%
OWASP F1
13.9%
Approx.FP: 100.0%Over-claim: 95.8%Speed: Scan completes ~<=5 min (LoC < 50k)
Manual Rank
Contrast Codesec Scan
Manual CVE_R
0.6%
OWASP F1
84.4%
Approx.FP: 100.0%Over-claim: 99.1%Speed: Scan completes ~<=5 min (LoC < 50k)
Gains from tool combinations
Best 3 / 4 mixes from Li et al. Figure 8. Manual CVE_R plus additional patch-side hits (Approx. FP lift).
Best 3: codeql + horusec + sbwfsb
Unique CVEs: 41 (24.8%)
Patch-side hits (approx. FP lift): 38.6%
Best 4: codeql + horusec + sbwfsb + semgrep
Unique CVEs: 45 (27.3%)
Patch-side hits (approx. FP lift): 39.4%