I built a vulnerability scanner targeting logic bugs that Semgrep, CodeQL, and Snyk structurally cannot catch because they pattern-match syntax, not behaviour.

SAST tools find SQL injection and XSS. They cant find a booking endpoint that lets any authenticated user delete another user’s booking. The code is syntactically valid — the bug is in what’s missing (an ownership check), not what’s present.