Skip to content

Q001 — Security Tool Adoption Rates in OSS CI Pipelines — Reading List

Must Read

  • Largest academic study of CodeQL on OSS codebases
  • Academic researchers (arxiv preprint) · 2026-05-08
  • Analysis of 114 CodeQL versions across 3,993 CVEs from 1,622 repositories (20B+ lines). CodeQL identifies 171 CVEs; adoption 10-30% across languages.
  • Why read: Provides the most authoritative CodeQL adoption rates and effectiveness data. Essential for understanding SAST tool coverage in practice.
  • Semgrep vs. CodeQL: Technical Comparison
  • Konvu · 2026-03-16
  • Technical comparison with academic benchmarks: CodeQL FPR 68.2%, Semgrep FPR 74.8%, combined four tools detect only 38.8% of real-world vulnerabilities.
  • Why read: Essential for understanding why SAST adoption is low — false positive rates of 68-75% and detection rates under 40% explain rational tool avoidance.

← Back to item overview