Comment by tempodox
Now that is how LLM assistance for coding can be useful. Would be interesting to know which set of tools was used exactly. How might one reproduce this kind of assistance for other code bases?
Now that is how LLM assistance for coding can be useful. Would be interesting to know which set of tools was used exactly. How might one reproduce this kind of assistance for other code bases?
See Joshua's post for details: https://joshua.hu/llm-engineer-review-sast-security-ai-tools...
Tools included ZeroPath, Corgea and Almanax.
And those good uses extend from appsec to cloudsec (IaC) as well.
I'm working on open-source tool [1] to look for policy violations in cloud infra. LLMs are great at dealing with cloud security policies that are frequently subjective and under-specified. They can "understand" the intent of the policy and use tools to pull in the necessary context to fully evaluate a potential violation.
We look at two examples in this blog post
https://blog.fraim.dev/ai_eval_vs_rules/
"No publicly exposed admin ports" and "IAM policies follow principle of least privilege".
[1] https://github.com/fraim-dev/fraim