HN Reader

Earth's seasons in all their complexity in a new animated map (theconversation.com)

1 points by gmays 3m ago 0 comments

Thagomizer (en.wikipedia.org)

1 points by baalimago 6m ago 0 comments

Context Engineering: Rapid Agent Prototyping – Jason Liu (jxnl.co)

1 points by sourcetms 8m ago 0 comments

Wonderful Medieval Illuminated Manuscripts (2021) (thecollector.com)

1 points by swatson741 9m ago 0 comments

Lidar/Phone Camera PSA (twitter.com)

1 points by bilsbie 10m ago 0 comments

Show HN: JSONeer, a Platform for Creating and Fetching JSONs Effortlessly (jsoneer.dev)

1 points by NabilNYMansour 12m ago 0 comments

Darth Vader's Lightsaber Sets New Sale Record at Sci-Fi Movie Auction (gizmodo.com)

2 points by ulrischa 13m ago 0 comments

Tech leaders take turns flattering Trump at White House dinner (theverge.com)

6 points by tastyface 15m ago 2 comments

Why Wikipedia Works (pluralistic.net)

2 points by FromTheArchives 18m ago 0 comments

Oracle cuts hundreds more Bay Area jobs in latest round of layoffs (kron4.com)

2 points by mgh2 18m ago 0 comments

An Update on New Computer and Dot (new.computer)

1 points by tobr 19m ago 0 comments

First CRISPR horses spark controversy: what's next for gene-edited animals? (nature.com)

2 points by rntn 21m ago 0 comments

ETH Liquidity Check: Is It Catching Up with Bitcoin? (coindesk.com)

1 points by PaulHoule 24m ago 0 comments

US to cut some security funds for European countries bordering Russia (ft.com)

5 points by eagleislandsong 25m ago 4 comments

Are LLMs better suited for PR reviews than full codebases?

2 points by aaa_2006 25m ago 3 comments

Behind Closed Doors: The Inequalities Hiding in Modern Student Housing (joshuatravisbrown.substack.com)

1 points by paulpauper 26m ago 0 comments

Is 'The Wizard of Oz' at Sphere the Future of Cinema? Or the End of It? (nytimes.com)

2 points by paulpauper 26m ago 0 comments

The Most Annoying Captcha (claude.ai)

1 points by speckx 26m ago 0 comments

Does the Future Belong to China? (nytimes.com)

3 points by paulpauper 26m ago 0 comments

3D-Printed Scaffolds Promote Organoid Regrowth in Spinal Cord Injury (advanced.onlinelibrary.wiley.com)

1 points by westurner 27m ago 1 comments

'One and done' dose of LSD keeps anxiety at bay (npr.org)

2 points by CharlesW 28m ago 0 comments

The Equal-Custody Experiment (wsj.com)

1 points by impish9208 29m ago 1 comments

New evidence on sinking of WW2 battleship HMS Hood (youtube.com)

1 points by historynops 29m ago 0 comments

Moravec's Paradox (en.wikipedia.org)

2 points by Jimmc414 30m ago 0 comments

Dylan: An object-oriented dynamic language (lispm.de)

1 points by ingve 30m ago 0 comments

A Global Perspective on Local Sea Level Changes (mdpi.com)

1 points by mpweiher 30m ago 0 comments

Why Is Japan Still Investing in Custom Floating Point Accelerators? (nextplatform.com)

1 points by rbanffy 31m ago 0 comments

Philips introduces budget-friendly Hue bulbs as part of major lineup overhaul (arstechnica.com)

1 points by rbanffy 34m ago 0 comments

Make Something Wonderful (Steve Jobs Archive) (stevejobsarchive.com)

1 points by tosh 34m ago 0 comments

Rust for Big Data: How We Built a MPP Query Executor on S3 from Scratch (databend.com)

2 points by zhihanz 34m ago 0 comments

MinionS Protocol – Cost-Efficient Local-Remote LLM Collaboration (github.com)

1 points by mycall 35m ago 1 comments

What to Build?

1 points by CIAOBENGA 35m ago 3 comments

Minimalist Mandelbrot Set (johndcook.com)

2 points by ibobev 35m ago 0 comments

Five Minute Sprints (dsriseah.com)

1 points by speckx 35m ago 0 comments

Shifting Bits in Company History (williamyeny.github.io)

1 points by jxmorris12 36m ago 0 comments

Models of (Dependent) Type Theory (bartoszmilewski.com)

1 points by ibobev 36m ago 0 comments

Legal Issues Raised by a Lethal U.S. Military Attack in the Caribbean (justsecurity.org)

9 points by pcaharrier 37m ago 0 comments

Interposing on clone() system calls in-process, from Linux userspace (humprog.org)

1 points by ingve 37m ago 0 comments

Multithreaded Radix Sort Implementation Walkthrough [video] (rfleury.com)

1 points by ibobev 37m ago 0 comments

How many SPARCs is too many SPARCs? (thejpster.org.uk)

2 points by naves 38m ago 0 comments

Open Footwear (openfootwear.com)

1 points by kasbah 39m ago 0 comments

Show HN: Feedable – Make any site with RSS readable without installing an app (feedable.doublememory.com)

1 points by randomor 40m ago 1 comments

South Korean company workers arrested at Hyundai site in Georgia (wsj.com)

2 points by Aeroi 40m ago 0 comments

Eating insects became a conspiracy theory (bbc.com)

2 points by giuliomagnifico 42m ago 1 comments

Matmul on Blackwell: Part 2 – Using Hardware Features to Optimize Matmul (modular.com)

2 points by robertvc 42m ago 0 comments

Fantastic Pretraining Optimizers and Where to Find Them (arxiv.org)

2 points by fzliu 42m ago 0 comments

OpenAI hires the team behind Xcode coding assistant Alex (techcrunch.com)

2 points by aspenmayer 44m ago 1 comments

GitHub Spec Kit (github.com)

1 points by saikatsg 45m ago 0 comments

The Battle to Protect Time (ft.com)

1 points by bschne 45m ago 1 comments

Small but mighty: A seed-inspired monocopter idea takes flight (techxplore.com)

1 points by PaulHoule 46m ago 0 comments

Are LLMs better suited for PR reviews than full codebases?

2 aaa_2006 3 9/5/2025, 6:33:08 PM
Semgrep recently published an analysis of how LLMs perform at spotting vulnerabilities in code: https://semgrep.dev/blog/2025/finding-vulnerabilities-in-modern-web-apps-using-claude-code-and-openai-codex/

I’ve been thinking about this problem and wanted to share a perspective.

When evaluating LLMs for static analysis, I see four main dimensions: accuracy, coverage, context size, and cost.

On accuracy and coverage, today’s LLMs feel nowhere close to replacing dedicated SAST tools on real-world codebases. They do better on isolated snippets or smaller repos, but once you introduce deep dependency chains, results drop off quickly.

Context size is another bottleneck. Feeding an LLM a repo with millions of lines creates huge problems for reasoning across files, and the runtime gets impractical.

That leads to cost. Running an LLM across a massive codebase can be significantly more expensive than traditional scanners, without obvious ROI.

Where they do shine is at smaller scales — reviewing PRs, surfacing potential issues in context, or even suggesting precise fixes when the input is well-scoped. That seems like the most practical application right now. Whether providers will invest in solving the big scaling problems is still an open question.

Curious how others here think about the trade-offs between LLM-based approaches and existing SAST tools.

Comments (3)

aafanah · 18m ago
Interesting. LLMs are already shining at PR reviews even if they struggle with massive codebases right now. And they are evolving fast enough that those scaling limits might not stay limits much longer.
kogatlas · 11m ago
I'd love to see your evidence that "LLMs are already shining at PR reviews". We've used a handful of them here where I work for months now and they are rarely correct, and thus, rarely useful. Instead they tend to just summarize nonsense that wasn't even introduced in that PR, make shit up entirely, or recommend bad fixes to things that would be better solved by being removed entirely.
aafanah · 1m ago
Fair point. I think the bottom line is that it depends a lot on the context and how the prompt is framed. For PRs with small enough scope, I have seen LLMs provide decent value, mostly in surfacing potential issues or offering quick summaries. That said, the Semgrep analysis highlights that accuracy and coverage still fall short even in these narrow cases, so clearly there is still a lot of work to be done before this becomes broadly reliable.