1. Dual‑use and misuse concerns
Users repeatedly point out that AI vulnerability scanners can be abused by bad actors, and that this risk is why the feature is gated behind enterprise access.
- “A vuln scanner is dual‑use.” – ukuina
- “I assume that's why this is gated behind a request for access from teams / enterprise users rather than being GA.” – nikcub
- “If an account is performing source‑code level request scanning of ‘numerous’ codebases – that could be an account of interest.” – czbond
2. Effectiveness versus traditional tools
The discussion centers on how well the new AI models actually find bugs and how they compare to existing static‑analysis tools.
- “Less than 50 % false positives.” – awestroke
- “What we've found is that giving LLM security agents access to good tools (Semgrep, CodeQL, etc.) makes them significantly better, especially when it comes to false positives.” – ievans
- “Claude Code Opus 4.5 ranks ~71 % accuracy on the OpenSSF CVE Benchmark.” – sanketsaurav
3. Business model and openness debate
Participants debate whether the product should remain a paid, restricted service or be freely available to the open‑source community.
- “Solve a problem and everyone praises you. No one knows you also caused that problem.” – deadbabe
- “Limited preview for researchers, who will be hand‑picked to write positive reviews.” – grolly
- “Make it testable for open‑source developers at no cost and without login or get‑lost.” – grolly
These three themes—misuse risk, real‑world performance, and access strategy—capture the core of the conversation.