Why I built attack-chain correlation on top of Semgrep and Joern

I've been running security scans on codebases for a while, and the thing that always bothered me about Semgrep wasn't the false positive rate or the speed. It was that the output was useless in the wrong way. You'd get a list. Line 42, SQL injection. Line 187, hardcoded secret. Line 304, missing auth check. Fifty findings, no story. Nothing that says "here's how an attacker actually gets from the front door to the database." Just a queue of problems with no context for how bad any of them actually are. So I built Vulnchain to fix that. What Semgrep is good at Semgrep is a pattern matcher. Fast, accurate within a file, easy to write rules for. If you want to catch mysql_query($_GET['id']) across 50 PHP files, it does that in seconds. The problem is it stops at function boundaries. Take this from DVWA: php// login.php function login($user, $pass) { $query = buildQuery($user, $pass); // Semgrep stops here return db_execute($query); } // db_helpers.php function buildQuery($u, $p) { return