Semgrep’s Remediation at Scale report analyzed remediation patterns across 50,000+ repositories in 2025 and found large, category-specific fix-rate gaps between high-performing “leaders” and the rest (“field”). The biggest gaps are in OWASP categories that require architectural changes—especially Authentication Failures and Cryptographic Failures—and leaders close more issues by using PR-level scanning, blocking rules, reachability analysis, and a 90-day escalation policy. #Semgrep #OWASPTop10
Keypoints
- Leaders fix critical SAST findings far more often than the field, showing the gap is execution, not detection.
- Authentication Failures (A07) have a 48-point leader-field gap and Cryptographic Failures (A02) a 38-point gap.
- PR-level scanning speeds remediation up to 9x when findings are actionable, with leaders resolving PR-detected SAST in about 4.8 days.
- Blocking high-confidence rules and building workflows to support blocked merges delivers the largest lift in fix rates.
- Vulnerabilities open for more than 90 days are unlikely to be fixed, so treat 90 days as an escalation point to remediate, accept, or mute.
Read More: https://thehackernews.com/expert-insights/2026/03/which-code-vulnerabilities-actually-get.html