← Back to BlogApril 18, 2026

Reaching Zero False Positives in Vulnerability Scanning

How we built a polyglot reachability engine traversing Go, Java, Rust, Python, and JavaScript ASTs in milliseconds to filter out vulnerability noise.

E
Engineering Team
Core Engine

Security engineers suffer from alert fatigue. The average enterprise dependency scanner flags hundreds of "critical" vulnerabilities a week.

But here's the dirty secret: Over 85% of flagged vulnerabilities are never actually reachable by the application code.

If you import lodash, but only ever use lodash.merge, a critical RCE vulnerability inside lodash.template has absolutely zero impact on your production environment. Yet, standard scanners block the PR, drop the build, and force developers to bump versions (which often breaks compatibility).

This is why we built OsVault's Reachability Engine.

The Architecture of Reachability

Instead of just parsing package.json or Cargo.toml, OsVault is granted read-only access to your repository tarballs via our GitHub Application. When a pull request opens, the engine performs a two-step validation:

  1. Manifest Diffing: Quickly determines if a vulnerable package version was introduced.
  2. AST / Regex Traversal: Scans the actual source code to determine if the vulnerable functions are imported.
// Example: The engine detects this and flags the vulnerability
import { template } from "lodash";
const compiled = template("hello <%= user %>");

// Example: The engine ignores the vulnerability here
import { merge } from "lodash";
merge(object, other);

Supporting the Modern Polyglot Stack

We started with Node.js and Python. However, enterprise software isn't built in a vacuum. A modern microservices architecture often operates a Go gateway, Java core services, and Rust edge functions.

Last week, we quietly rolled out reachability support for Go, Java (Maven/Gradle), and Rust.

By maintaining highly-optimized Regex and fast-AST parsers in our Rust ingestion engine, we are able to determine reachability across all 5 ecosystems in under 500ms on a Vercel Edge function.

What's Next?

We are working on Call Graph Traversal for our Enterprise tier. This means not only detecting if a function is imported, but statically analyzing if control flow actually reaches the imported vulnerable function from a public web endpoint.

Say goodbye to false positives. Start securing your supply chain today.

Stop chasing false positives.

OsVault analyzes your AST directly within GitHub PRs to determine if vulnerabilities are actually reachable.

Install GitHub App