Notes on AI code review, static analysis noise reduction, and shipping cleaner code with Claude Code / Cursor.
Auditors do not accept stochastic scanner output. Deterministic, reproducible, citation-ready YAML — the audit posture an AI-augmented engineering team needs by 2026.
Read post →A static-analysis report with 1,500 findings is functionally a report with zero findings — nobody reads it. The bottleneck is ranking, not detection.
Read post →AI code review and deterministic static analysis are complementary layers, not competitors. The math of running both, the hand-off prompt, and when replacing one with the other is wrong.
Read post →AI coding assistants reason within a single file's context window and miss bugs whose taint flows across three or more files. The category that ships past AI-assisted review.
Read post →AI-generated code drove a 2.74× CVE increase in Q1 2026 — from 6 AI-attributed CVEs in January to 35 in March alone. A reading of what the data says about where deterministic detection needs to go.
Read post →The full BrassCoders CLI is open source on GitHub under Apache 2.0. 12 scanners, source-auditable detection, contributions welcome. Repo at CopperSunDev/brasscoders.
Read post →BrassCoders scans run entirely on your machine by default. The Paid plan adds one network call to our gateway with already-redacted findings, never raw source code. Here is every byte that leaves your machine.
Read post →BrassCoders Paid is now generally available. $12/dev/month adds AI-powered semantic dedup, cluster sizing, and rank-by-relevance against your project signature. The OSS core stays free forever.
Read post →AI coding assistants embed credentials in generated config files, example scripts, and test fixtures more often than developers expect. The detection pattern is entropy plus format matching — here is what BrassCoders scans for and why.
Read post →A worked example of BrassCoders plus an AI assistant doing real PR review work. Scan locally, hand the ranked output to Claude Code or Cursor, walk each finding to a diff. Total reviewer time stays roughly constant regardless of diff size.
Read post →AI coding assistants confidently generate imports of packages that don't exist on PyPI or npm. The pattern is documented, the supply-chain risk is real, and the detection is straightforward — here is how it works.
Read post →AI code review tools surface a lot of speculative noise alongside the real bugs. Here's why that happens and how to filter the output down to the findings that merit a developer's attention.
Read post →