Do you discuss anywhere what you use for static analysis? I skimmed through your blog but didn't see any details. Also -- did you detect and publish this BEFORE it became public knowledge? It's unclear.
We've built our own minimalist static analysis engine that only supports scanning for the specific supply chain threats we care about. For that reason, it's a lot simpler and faster than a generic engine.
I'll see if we can write up a bit about how it works in a future blog post.
I'll see if we can write up a bit about how it works in a future blog post.