I Built a Security Scanner That Uses Your Python AST — Not an LLM, Not a Cloud Service

A project called shannon hit GitHub trending this week with a 96% success rate on penetration testing benchmarks. Autonomous AI that reads your source code, finds vulnerabilities, and executes working exploits to prove they’re real. I’ve been watching the AI security space and that number is legitimately impressive. But it also raised a question I couldn’t stop thinking about: how many basic security issues are sitting in codebases right now that don’t need a 96%-accurate AI pentester to find? Pattern matching. AST analysis. Zero LLM. Things Python has been able to do for years. So I built vuln-grep to answer that question on my own code. What it detects vuln-grep scan ./src Sample output: Scanned 43 files — 3 finding(s): [HIGH] SQL_INJECTION api/views.py:47 SQL query built with f-string — use parameterized queries → query = f"SELECT * FROM users WHERE id = {user_id}" [HIGH] UNSAFE_EVAL utils/sandbox.py:12 eval() called with dynamic argument — potential code injection → result = eval(u