Research
CrossCommitVuln-Bench: Multi-Commit Vulnerabilities Invisible to Per-Commit Static Analysis
New benchmark of 15 real-world Python CVEs where exploitable conditions were introduced across multiple individually-benign commits that evade per-commit static analysis by Semgrep and Bandit. Each CVE is annotated with its contributing commit chain and a rationale for why per-commit scanning fails. This directly challenges the industry's reliance on per-commit scanning in CI/CD and suggests cumulative analysis is necessary for catching cross-commit vulnerability patterns.
Source
↳ Follow the thread