stageclear — 8-bit Edition

WE RAN THE EXPERIMENT

We took a real Django app with 50 intentional vulnerabilities planted across 5 difficulty tiers. We ran every popular security tool with its default out-of-box setup — exactly how a developer would install and run them. No custom rules. No flags. No configuration. Then we ran stageclear scan .

Here is what happened.

32%

vulnerabilities
caught by
all 9 default tools
combined

78%

vulnerabilities
caught by
stageclear
one command

50%

of Bandit's
findings were
noise or
false positives

2.6%

stageclear
false positive
rate

2/9

tools
completely
failed
to run

TOOL	RAW OUTPUT	UNIQUE VULNS FOUND	NOISE / FP RATE	STATUS
Bandit	18 findings	9 real	50% noise	Runs
Ruff (security)	15 findings	9 real	40% noise	Runs
Semgrep auto	28 findings	~22 real	21% noise	Runs
Bearer	25 findings	24 real	4% noise	Runs
Safety	110 findings	5 packages	0% but 22× inflated	Runs
OSV-Scanner	111 findings	8 packages	0% but duplicated	Runs
Gitleaks	0 findings	0 real	—	✗ FAILED
detect-secrets	6 findings	2 real	67% false positive	Runs*
pip-audit	—	0	—	✗ FAILED
stageclear scan .	77 findings	39/50 vulns	2.6% false positive	✓ WORKS

* detect-secrets requires --all-files flag; without it finds 0. Gitleaks fails silently on non-git directories.

☠ WHAT DEFAULT TOOLS COMPLETELY MISSED ☠

SECRET_KEY = 'super-secret-key-12345' in settings.py — both Gitleaks and detect-secrets missed this completely
DEBUG = True in production settings — not one baseline SAST tool caught it
ALLOWED_HOSTS = ['*'] wildcard — zero detections across all tools
Missing clickjacking header (XFrameOptionsMiddleware removed) — baseline blind to config absence
CORS wildcard + credentials in middleware — not caught by any default ruleset
Password logged to stdout (logger.info password=...) — zero flags from any tool
IDOR (no owner check on document fetch) — baseline has no data flow context
Race condition in credits transfer — requires semantic understanding
Host header injection in password reset — missed across all 9 tools
ReDoS catastrophic regex in username validator — no baseline tool caught it
XXE via lxml.etree.parse() — none of the 9 tools flagged it by default
Pickle session serializer buried in settings — invisible to default scanners

VULNERABILITY TIERS: COVERAGE BREAKDOWN

TIER 1

OBVIOUS
junior scan
should catch

Default 4 / 10

stageclear 9 / 10

TIER 2

HIDDEN
basic flow
analysis

Default 3 / 10

stageclear 10 / 10

TIER 3

DEEP
cross-file
data flow

Default 5 / 10

stageclear 10 / 10

TIER 4

VERY HARD
semantic
reasoning

Default 2 / 10

stageclear 5 / 10

TIER 5

EXPERT
domain
expertise

Default 2 / 10

stageclear 5 / 10

POWER-UPS UNLOCKED

🗡️

SAST LAYER

Bandit + Semgrep + Ruff + Bearer run in parallel. 569 custom rules built for real Django, Flask, FastAPI, aiohttp, Tornado, Streamlit, GraphQL and more — attack patterns default tools never see

🧪

SCA LAYER

OSV-Scanner + pip-audit + Safety. Three databases, zero build failures, deduplicated to one clean finding per vulnerable package — not 111 raw CVE entries

🔐

SECRETS LAYER

Gitleaks + detect-secrets both run correctly. stageclear adds --no-git and --all-files automatically so neither tool silently returns zero results

⚡

3-LAYER DEDUP

Same finding reported by 3 tools? You see it once. Cross-tool CWE + file + line dedup. Fuzzy ±5-line linking. 77 clean findings vs 313 raw — signal, not noise

SELECT YOUR FIGHTER

Free runs all 11 open-source scanners with their default detection rules — exactly what you'd get doing it yourself, in one command.
Pro adds 569 custom detection rules built for real attack patterns default tools never see — plus deduplication, baselines, and CI integration.

FREE

forever · unlimited scans · no credit card

11 open-source scanners · unlimited scans

All 9 scanners in one command
SAST: Bandit + Ruff + Semgrep + Bearer
SCA: OSV-Scanner + pip-audit + Safety
Secrets: Gitleaks + detect-secrets
Auto-detects Python / Django / Flask / FastAPI
Terminal output with severity colours
3-layer deduplication engine
569 custom detection rules (Pro only)
JSON / SARIF export
Baseline tracking (ignore known issues)
CI/CD integration
Rule update feed

$ go install stageclear@latest

PRO

$39/mo

unlimited scans · cancel anytime

+569 custom detection rules · unlimited scans

Everything in Free
3-layer dedup: 313 raw → 77 clean findings
569 custom detection rules: Django / Flask / FastAPI / aiohttp / Tornado / more
Baseline: commit findings, re-scan shows only new
JSON + SARIF v2.1.0 export for ticketing systems
CI mode: non-zero exit on new critical findings
Rule update feed: new rules as threats emerge
Weekly scan reports via email
Severity tuning per project
Priority support

▶ START PRO — $39/MO ◀

WHY PRO BEATS THE FREE PLAN

WHAT YOU GET	FREE	★ PRO
Detection rules	default rules only	+569 custom rules
Duplicate findings from 9 tools collapsed into one	✗	✓
569 custom rules (Django / Flask / FastAPI / aiohttp / Tornado / more)	✗	✓
DEBUG=True, ALLOWED_HOSTS=*, missing middleware detection	✗	✓
Baseline: only show findings newer than last commit	✗	✓
SARIF output for GitHub / Jira / Linear	✗	✓
CI/CD: block deploy on new criticals	✗	✓
False positive rate	~25% (Semgrep default)	2.6% with dedup + custom rules
T1–T3 vulnerability coverage (out of 30)	~50% default rules	97% with +569 custom rules
Hardcoded secrets: SECRET_KEY, DB passwords caught	✗ default tools miss these	✓
Rule update feed	✗	✓ new rules as threats emerge