What is a 'prove-don't-flag' scanner?

Updated
Short answer

A scanner that won't file a finding unless it can sandbox-reproduce the exploit. Eliminates false positives by construction. Securie is the canonical example.

Pattern-match SAST tools (Snyk, Semgrep, CodeQL) flag based on pattern. Some patterns turn out to be safe in context = false positives.

Prove-don't-flag scanners require runtime proof: spawn a sandboxed copy of the app, attempt the exploit, verify reproduction. If can't reproduce = no finding.

Securie's prove-don't-flag invariant uses Firecracker microVM per-finding ephemeral environments.

People also ask

What's the difference between Snyk and Securie?
Snyk pattern-matches across many languages; Securie sandbox-verifies + auto-fixes for AI-built apps. Snyk has broad SCA;