One Thousand and One AI-Prevented CVEs: Vibe Coding a Whole New Supply Chain Defense
Brandon Wu
BSidesSF 2026 · Day 2 · AMC Theatre 14
In an era where software supply chain attacks are escalating dramatically, the manual processes traditionally employed to secure third-party dependencies are proving to be unsustainable. Brandon Wu, a Program Analysis Engineer at Semgrep, presented a compelling talk at BSides SF, "One Thousand and One AI-Prevented CVEs: Vibe Coding a Whole New Supply Chain Defense," addressing this critical challenge. The presentation introduced **Brat** (Better RAT), a novel tool developed to automate the creation of security rules for detecting vulnerabilities (CVEs) in third-party libraries, significantly improving the scalability and reliability of software supply chain defense.
AI review
Wu presents a legitimate engineering solution to a real scaling problem: automated Semgrep rule generation for supply chain CVEs using call graph analysis plus targeted LLM assistance. The core technical idea — deterministic call graph traversal to find transitive public API exposure, with LLMs handling bounded subtasks like doc scraping and test snippet generation — is sound and the d-value case study makes the false-negative argument concrete. But this is a BSides-tier product engineering talk from a Semgrep employee about Semgrep infrastructure, and it never quite escapes that gravity.