Q002 — Barriers to OSS Security Scanning Adoption — Self-Audit

Contents

• Process Audit (Analytical Domains)
• Source-Back Verification

Process Audit (Analytical Domains)

Domain	Rating	Rationale
Evaluation Consistency	Pass	The assessment treated the academic maintainer study (strong reliability) and the vendor blog (moderate reliability) with appropriate differential rigor. The false-positive rate data from Pixee's blog
Synthesis Fairness	Pass	The synthesis fairly represented all three evidence clusters (barriers, false positives, Log4j decay) without over-weighting any. The conclusion correctly states that 'security fatigue' as a temporal

Source-Back Verification

Sources verified: 3

Discrepancies

• minor at https://www.pixee.ai/blog/sast-false-positives-reduction
• Assessment claims: Ghost Security found a 91% false positive rate scanning public GitHub repositories
• Source actually says: The Pixee blog reports this as 'Ghost Security found that 91% of alerts were false positives when scanning public GitHub repositories across Go, Python, and PHP' — the blog cites Ghost Security's research but does not link to the primary Ghost Security publication.

← Back to item overview