COMPARISON · SNYK · 2026-07-11

    Gadriel vs. Snyk: Two Strong Scanners, One Big Structural Difference

    Snyk Code is genuinely strong — and it uploads your source to the cloud to analyze it. Gadriel runs 100% locally and covers the whole security job in one pass. Six apps, five languages, honest numbers.

    Gadriel vs. Snyk: Two Strong Scanners, One Big Structural Difference
    COMPARISON · SNYK·2026-07-11·12 MIN READ

    CISO NOTE

    CISO note — the Gadriel differentiator. Snyk Code is genuinely strong SAST — and it uploads your source to Snyk's cloud to do it. Gadriel runs 100% locally, air-gapped-capable, no code ever leaves the perimeter. In the same one-command pass it covers SAST + SCA + secrets + container + config + API + AI/LLM, emits SBOM + 10-framework compliance, and offers an optional bring-your-own-LLM verification tier. One tool, one bill, one on-box scan — no vendor account, no data-residency conversation with legal.

    The short version

    Let's be straight up front: Snyk is a genuinely strong, mature security platform, and Snyk Code really analyzes your source. It is not one of those scanners that only greps for patterns — it traces data flow, shows how untrusted input reaches a dangerous function, and across these six apps it reliably caught the serious bugs: SQL injection, command injection, code injection, hardcoded secrets, and more. On several repos it flagged categories Gadriel did not. This is not a "we found more" story. On detecting the dangerous code bugs, Gadriel and Snyk are peers on Gadriel's strong languages, and Snyk is ahead on Java and JavaScript breadth. We say so plainly.

    The differences that matter are structural. The headline one: Snyk Code uploads your source code to Snyk's cloud to analyze it — that's how the product works. Gadriel runs 100% locally and offline; your code never leaves your machine. On top of that, Gadriel does the whole job in one tool — code, dependencies, secrets, containers, config, and AI/LLM‑specific risks in a single pass — then learns per‑codebase and emits an SBOM plus ten compliance‑framework reports every run. If Snyk is an excellent cloud security platform, Gadriel is an excellent private, self‑contained security tool.


    How Gadriel works: one local pass

    Before the numbers, it helps to see the shape of the pipeline, because it's the root of every structural difference below. Gadriel makes one local pass over the repo that runs every scan type at once (SAST, SCA, secrets, container/IaC, config, API, AI/LLM), assigns each finding a confidence tier, and fuses everything into a single report. An optional host‑LLM verification pass (Tier‑2, off by default) can adversarially re‑check gating‑eligible SAST findings when enabled.

    flowchart LR
      R[Source repo] --> T1
      subgraph T1[Default scan — deterministic, one local pass]
        direction TB
        S1[SAST taint/AST]:::c --- S2[SCA + OSV CVE]:::c --- S3[Secrets]:::c
        S4[Container / IaC]:::c --- S5[Config / AI-runtime]:::c --- S6[API / OpenAPI]:::c
      end
      T1 --> F[Findings + confidence tiers]
      F --> OUT[Verified findings + SBOM SPDX/CycloneDX<br/>+ 10-framework compliance + static HTML report]
      F -.-> T2["Tier-2 optional — host-LLM verification<br/>off by default"]
      T2 -.-> OUT
      classDef c fill:#eef,stroke:#88a;
    DIAGRAM

    The relevant contrast with Snyk: Snyk Code is one product in a suite (Snyk Code for SAST, Snyk Open Source for dependencies), each analyzing in Snyk's cloud. Gadriel's default scan is that whole first row in a single local command. The comparison below rests entirely on that default scan.


    IMPORTANT

    Snyk Code uploads your source to the cloud for analysis. Gadriel runs 100% locally — no code egress, no vendor account, works air-gapped. If that difference matters to your legal or security team, it changes the whole comparison before we even count findings.

    What we tested

    Every scan was a first‑time run on a repo Gadriel was never trained or tuned on, measured on the same machine (July 2026). Tools: Gadriel 1.2.1 and Snyk CLI 1.1306.0 (Snyk Code for SAST, snyk test for dependencies). "Goat" apps are deliberately stuffed with known, exploitable bugs, so the ground truth is known in advance — a fair test of what each tool actually catches.

    RepoLanguage / stackWhy it's here
    pygoatPython / DjangoThe classic battery: RCE, pickle, yaml, command‑injection, SQLi
    django.nVPython / Django 1.8.3OWASP A1–A10, hardcoded secret, end‑of‑life‑Django CVEs
    vulpyPython / FlaskShips a bad/ and a good/ tree — a precision test
    govwaGo / MySQLGo SAST + the Go formatted‑SQL‑injection shape
    dvjaJava / Spring / Struts2 / MavenDeep vulnerable‑dependency surface (Struts2, Log4Shell)
    NodeGoatJavaScript / Express / MongoOWASP Top 10 in Node, large npm dependency surface

    Cross-repo scoreboard (measured)

    RepoGadriel timeGadriel findings (T1 default)Gadriel Tier‑2 (optional, verified)Snyk findingsHonest read
    pygoat (Python)3.7s38 (18 SAST + SCA/secrets/container/config)6/6 confirmedSnyk Code caught RCE/pickle/yaml/cmd‑inj/SQLi + SSRF/XXEPeer on the dangerous bugs. Gadriel's strongest repo; Snyk's SCA didn't complete
    django.nV (Python)14.4s12 (7 SAST + SCA/secret/coverage)5/5 confirmedSnyk Code: 14 (wider on CSRF/passwords)Gadriel gets SQLi + secret + Django 1.8.3 CVEs; Snyk wider on own‑code categories; Snyk's SCA failed
    vulpy (Python)2.5s5 (4 SAST, precise)2/2 confirmedSnyk Code: 20Precision win for Gadriel on good/; SQLi recall now at parity after the Python formatted‑SQL fix; Snyk's SCA failed
    govwa (Go)3.0s11 (3 SAST + SCA/container/config)3/3 confirmedSnyk Code: 11; snyk test: 0 vulnerable Go modulesPeer on Go SQLi (after the Go formatted‑SQL fix) + MD5; Snyk wider on cookie/session hardening
    dvja (Java)5.3s15 (1 SAST, 3 SCA, 10 container)1/1 confirmedSnyk Code: 7 (stronger); snyk test could not runSnyk leads on Java SAST. Gadriel's story is Struts2 dep + container + one tool
    NodeGoat (JS)5.2s14 (4 SAST + SCA/secret/container)2/2 confirmedSnyk Code: 27; Snyk Open Source: 76 unique dep CVEsSnyk leads on JS SAST + dep‑CVE. Gadriel lands the eval + committed key

    The Gadriel Tier‑2 column is the optional --tier2 pass (off by default): all 19 Medium‑confidence, gating‑eligible SAST findings across the six repos were re‑checked and 19/19 confirmed, 0 refuted. That is only its verify job — Tier‑2 also hunts for the access‑control bugs taint rules can't see, adding +25 advisory findings this round (broken out in the own‑code coverage table). It is an optional layer, not the basis of this comparison — the scoreboard rests on the default Tier‑1 scan.

    An honest note on the counts. Gadriel's numbers above are the July 2026 fresh re‑run; they are raw first‑pass totals spanning every scan type (SAST, SCA, secrets, container, config). Snyk's counts are its own per‑product totals. Crucially, Snyk's dependency scanner (snyk test) needs a fully resolved/installed build (Maven for Java, installed packages for Python) — in this environment‑free run it could not complete on django.nV, vulpy, or dvja. We state that honestly rather than scoring it as a Gadriel win: it is a real setup requirement, not a quality defect. On govwa it did run cleanly (0 vulnerable Go modules), and on NodeGoat it ran and shone.

    Tool coverage matrix (what each tool does at all)

    Counts only compare where the tools overlap. This matrix is structural — what each tool covers as a capability, independent of any repo. Snyk's column is the honest one to read closely here:

    CapabilityGadriel (default)Gadriel + Tier-2Snyk
    SAST / own‑code injection(cloud upload)
    SCA (deps/CVE)(needs resolved build)
    Secrets
    Container / IaC
    Config or AI‑runtime
    API (OpenAPI)
    AI/LLM risk
    Access‑control / IDOR / broken‑authz~ structural gap✅ advisory (semantic hunt)
    Self‑verification (AI pass)— (optional)✅ BYO‑LLM (your Claude/GPT/local Ollama)(Snyk DeepCode AI calls Snyk's own cloud model)
    Local / offline(cloud)
    SBOM
    One command, one pass

    Snyk's honest column: it does SAST, SCA, secrets, and container well — it is a broad suite. What it does not do is run locally (Snyk Code uploads source to the cloud), cover API/OpenAPI or AI/LLM‑runtime risk, or deliver all of this in a single command. Gadriel's differentiators against Snyk specifically are the local/offline row, the AI/LLM risk row, and one command, one pass.


    Repo by repo

    pygoat (Python / Django) — peers on the dangerous bugs

    pygoat is the classic Python goat. Snyk Code found the headline bugs with data‑flow tracingeval RCE, pickle deserialization, unsafe yaml load, command injection, and SQL injection — and additionally flagged SSRF and XXE. So did Gadriel, whose SAST engine returned 18 code findings here (its richest of the six): the pickle RCE (L1‑072, insec_des in main.py:36), command injection (L3‑017, mitre.py:233), SQL injection (L3‑054, views.py:162), unsafe yaml/deserialization (L3‑016/020/035), a hardcoded key (L4‑115), and the hardcoded SECRET_KEY (SECRET‑486, settings.py:25) — alongside container, SCA, secrets, and config results for a 38‑finding total in 3.7s. This is the repo where Gadriel is unambiguously at full strength. Snyk's own dependency scanner didn't complete in the build‑free run, so the code‑analysis results are the fair comparison — and there the two are peers.

    django.nV (Python / Django 1.8.3) — Snyk wider on own‑code categories

    Here Snyk earns real credit: Snyk Code reported 14 findings to Gadriel's 12, catching own‑code categories Gadriel did not — the @csrf_exempt CSRF holes, unvalidated‑password gaps, and a missing HttpOnly cookie (Gadriel does catch django.nV's open redirect, CODE‑W1‑L1‑821). Gadriel caught the SQL injection (critical, CODE‑W1‑L3‑014 at views.py:183) and the command injection (critical, L3‑017 at misc.py:33) plus a stack of high‑severity SAST, the hardcoded SECRET_KEY (SECRET‑486), and — where Snyk's snyk test failed with "missing required packages" — Gadriel's local SCA flagged the end‑of‑life Django 1.8.3 framework (SCA‑056). Gadriel also caught config‑level risk (pickle serializer, MD5/DEBUG) outside a pure code‑flow scanner's lane. Net: Snyk is broader on Python own‑code categories; Gadriel is the one that completed dependencies and config locally.

    vulpy (Python / Flask) — Gadriel's precision, and a shipped fix

    vulpy pairs a bad/ tree with a hardened good/ tree, so it tests precision, not just recall. Snyk Code raised 20 findings, including the SQL injection in four spots, hardcoded secrets, debug=True, and auth over plain HTTP. Gadriel returned a tight 5 — the injectable queries deduplicated into a clean critical finding (CODE‑W1‑L3‑014 at bad/libuser.py:12), plus debug=True (L4‑115) and auth‑over‑HTTP (L4‑145), all in bad/firing only where a query is genuinely injectable and staying silent on the safe parameterized rewrites in good/zero findings inside the hardened tree. Importantly, vulpy is exactly where Gadriel's earlier SQLi recall gap surfaced — see the flywheel section — now closed and re‑validated live. Snyk's SCA did not complete here.

    govwa (Go / MySQL) — peers on Go SQLi

    On this Go app, both tools caught the SQL injection and the weak MD5 hashing. Gadriel's Go formatted‑SQL‑injection detector (source‑optional) now fires live as a critical (CODE‑W1‑L2‑002 at function.go:41), alongside a second high on the same rule (database.go:24) and the MD5 weak‑hash (L1‑313 at user.go:160), inside an 11‑finding pass spanning SAST, SCA, container, and config in 3.0s. Snyk Code returned 11 Go code findings, leaning wider on cookie/session hardening and a cleartext‑logging warning; its snyk test ran cleanly and correctly reported 0 vulnerable Go modules (govwa's danger is in the code, not its libraries). One honest note: govwa's template.HTML(userinput) reflected‑XSS family isn't a strength either tool leaned on here — it's Go coverage Gadriel is actively improving.

    dvja (Java / Spring / Struts2) — Snyk leads on Java SAST

    We report this exactly as it came out: on Java own‑code bugs, Snyk Code beat Gadriel — seven findings to one. Snyk flagged MD5 hashing, password‑returning methods, a JSP XSS, and a Struts debug‑mode setting; its mature Java data‑flow engine showed. Gadriel found one code bug (a critical JPQL/SQL injection, CODE‑W1‑L1‑1004 at ProductService.java:48) — Java SAST is Gadriel's weakest language today. Gadriel's story on dvja is elsewhere: its local SCA flagged the vulnerable Apache Struts2 dependency (the Equifax‑class RCE family) plus a Log4Shell‑era Log4j, and it added ten container hardening findings, for 15 total in 5.3s with no build step — while Snyk's snyk test couldn't run at all without a resolved Maven build. So on the highest‑risk part of this specific app (the dependencies), Gadriel produced a result out of the box and Snyk's SCA did not; on the source code, Snyk is clearly ahead.

    NodeGoat (JS / Express / Mongo) — Snyk leads on JS SAST and dep‑CVE

    Another honest split, favouring Snyk on JavaScript. Snyk Code returned 27 own‑code findings — code injection, missing rate‑limiting, SSRF, hardcoded credentials — to Gadriel's 4 SAST hits, and Snyk Open Source resolved the lockfile and reported 351 issues across 76 unique dependency vulnerabilities. That's exactly the vulnerable‑dependency surface Snyk is famous for, and it did it well. Gadriel's JS source depth is still maturing, but it landed the highest‑impact catches: the eval() code injection in contributions.js:32 (critical, CODE‑W1‑L1‑001), a second code‑injection in Gruntfile.js:165 (L1‑008), an open redirect (CODE‑W1‑L1‑1696 at index.js:72), and the committed TLS private key at server.key (SECRET‑001) — plus its own local SCA, container, and config results for 14 total in 5.2s. On NodeGoat, Snyk's recall is higher; Gadriel's trade is privacy and breadth‑in‑one‑tool.


    Optional: Gadriel Tier‑2 — your own LLM, two jobs

    Gadriel ships an optional AI tier (Tier‑2, enabled with --tier2 / GADRIEL_TIER2 / [tier2].enabled, off by default) that does two things in source context. First it verifies: it adversarially re‑checks Tier‑1's gating‑eligible SAST findings to refute or confirm them — across these six repos all 19 Medium‑confidence gating‑eligible findings ran through Gadriel's fusion engine and 19/19 were confirmed, 0 refuted. Second it hunts: it semantically reads the source for the vulnerability classes deterministic taint rules structurally miss — IDOR / broken‑object authorization, missing function‑level authz, missing authentication, and forgeable‑token / broken‑auth — and surfaces them as advisory findings for review. This round it added +25 such findings across the six repos (see the coverage table below).

    Its differentiator is bring‑your‑own‑LLM: Tier‑2 borrows the host agent's already‑running model (Claude in Claude Code, GPT in Cursor, or a local Ollama model) and makes no API call of its own — no vendor model to buy, no code egress, no second bill, and it works air‑gapped with a local model. That is a delivery advantage, not a claim of better raw detection than a cloud model: unlike Snyk DeepCode AI, which uploads source and calls Snyk's own cloud model, Tier‑2 keeps everything on your machine. Its hunt findings are advisory — surfaced and flagged for review, never used to gate or fail a build. It's an optional layer — not the basis of the scoreboard, which rests on the default Tier‑1 scan.

    Own-code coverage: Tier-1 vs Tier-1 + Tier-2

    RepoTier‑1 gating SAST+ Tier‑2 verify+ Tier‑2 hunt adds (advisory)Own‑code total w/ Tier‑2
    pygoat (Python)186/6 ✓+422
    django.nV (Python)75/5 ✓+411
    vulpy (Python)42/2 ✓+48
    govwa (Go)33/3 ✓+47
    dvja (Java)11/1 ✓+45
    NodeGoat (JS)42/2 ✓+59
    Total3719/19 confirmed, 0 refuted+2562

    The hunt adds are the access‑control family that rule‑based taint analysis cannot see — because the bug is a missing check, not a tainted data‑flow to a sink. The standout is dvja: Tier‑1 alone found 1 SAST bug; Tier‑2 recovered the critical PingAction command injection plus a product IDOR, a forgeable admin cookie, and a forgeable reset‑token (account takeover). On django.nV it surfaced the profile_by_id IDOR account‑takeover, a manage_groups privilege‑escalation, an arbitrary‑file‑download IDOR, and an open‑redirect+IDOR. All advisory, all for review.


    KEY TAKEAWAY

    Snyk Code is genuinely strong on SAST. Gadriel matches it on the dangerous bugs on its strong languages, runs entirely on-box, and covers SCA + secrets + container + config + API + AI/LLM in the same pass — no second product to buy.

    Where Gadriel clearly wins

    1. Your code stays private — local and offline. This is the decisive line. Snyk Code uploads your source to Snyk's cloud to analyze it. Gadriel analyzes everything on your machine or CI runner; your source never leaves, and it works fully air‑gapped. For finance, healthcare, government, or anyone with sensitive IP, that alone can settle the choice.
    2. Breadth in one tool. Snyk is a suite of separate cloud products (Snyk Code, Snyk Open Source, and more). Gadriel does SAST and SCA and secrets and container and config and AI/LLM risks in a single command.
    3. Precision. On vulpy, Gadriel fired on every request‑reachable injectable query in bad/ without false‑positiving on the parameterized queries in good/ — full recall on the exploitable sites, zero findings inside the hardened tree.
    4. It learns per‑codebase. Decisions are remembered per‑codebase — a fixed cloud engine cannot. New users start ahead, tuned by ~2,000 expert‑reviewed findings from earlier testing (none from these apps).
    5. Audit‑ready by default. SPDX + CycloneDX SBOMs and ten compliance‑framework reports (EU AI Act, NIST AI RMF, SOC 2, HIPAA, PCI‑DSS, OWASP LLM Top 10, CMMC, ISO 42001, and a cyber‑insurance readiness checklist) come out of every scan, generated locally.
    6. Faster — no upload round‑trip. Every scan above finished in seconds locally, with no cloud round‑trip to wait on.

    Where Gadriel still trails (honest)

    • Java SAST recall (dvja). One own‑code bug to Snyk's seven. Java code‑analysis depth trails Gadriel's Python and Go. On Java today, Gadriel's value is the dependency + container + one‑tool coverage, not SAST breadth.
    • JavaScript SAST breadth (NodeGoat). Gadriel lands the eval injection and the committed key but misses the SSRF, missing‑rate‑limiting, and hardcoded‑credential categories Snyk Code flagged (4 vs. 27).
    • Python category breadth (django.nV). Strong on injection, secrets, and SCA, but does not yet flag the pervasive IDOR, @csrf_exempt CSRF holes, or HttpOnly cookie gaps Snyk caught.
    • Mature dependency‑CVE database + fix advice. On NodeGoat, Snyk Open Source's 76 unique dep vulnerabilities and its polished fix suggestions are a genuine, well‑curated strength.

    One honest caveat cuts the other way: the optional Tier‑2 pass already addresses part of this. Its bring‑your‑own‑LLM semantic hunt surfaces the IDOR / missing‑authorization / broken‑auth family — the access‑control categories called out above under django.nV — as advisory (review‑flagged, non‑gating) findings, and this round it added +25 such own‑code issues Tier‑1 alone missed. That closes part of the access‑control gap, but it is advisory rather than gating, and the deterministic Java/JS SAST‑breadth gap above is still real and being improved.

    These gaps are Gadriel's tracked detection backlog — the next benchmark‑driven fixes, exactly as the formatted‑SQL‑injection detectors (Go and Python) came out of earlier rounds.


    The benchmark → fix flywheel

    This is a two‑way practice, not a slide deck.

    flowchart LR
      A[Multi-repo goat benchmark] --> B{Gadriel miss a peer catches?}
      B -- yes --> C[Root-cause + ship a fix]
      C --> D[Ship matcher/rule fix + unit test]
      D --> E[Re-scan the live target]
      E --> A
      B -- no --> A
    DIAGRAM

    vulpy surfaced a real Python SQL‑injection recall gap that Snyk Code caught and Gadriel initially missed: Snyk flagged the classic "...".format(user) / "..." % usercursor.execute shape as python/Sqli (×4), while Gadriel's provenance engine — reaching for a cross‑file, bare‑parameter taint source it couldn't resolve — reported zero. The root cause and the fix (a narrow, source‑optional matcher heuristic that stays precise on parameterized queries) shipped as Gadriel's Python formatted‑SQL‑injection detector, the Python analog of the Go formatted‑SQL fix. Both shipped in the matcher, were unit‑tested, and were re‑validated against the live targets — and in the July 2026 re‑run they fire live: vulpy's CODE‑W1‑L3‑014 critical and govwa's CODE‑W1‑L2‑002 critical are those fixes working. A competitor catch became a shipped, verified improvement.


    The honest evaluation: where Tier‑1 stops and Tier‑2 starts

    Put plainly, so nothing hides in the prose:

    • Gadriel's default scan (Tier‑1) is strong at injection. SQLi, OS‑command, and code/eval injection — especially in Python and Go, where it is a peer with Snyk Code. That is what leads the per‑repo scoreboard above, and it holds up.
    • Tier‑1 is honestly weak in two places. (a) Java and JavaScript SAST breadth — dvja bottoms out at one own‑code bug, NodeGoat at four, and Snyk Code leads both. (b) The access‑control family — IDOR, missing/broken authorization, forgeable‑token auth — which is structurally invisible to AST taint rules, because the vulnerability is a missing check, not a tainted data‑flow reaching a sink. No amount of taint tuning finds a check that isn't there.
    • The optional Tier‑2 — your own LLM — closes exactly those two gaps. It semantically read the source and surfaced +25 measured IDOR/authz/broken‑auth findings — the own‑code access‑control layer Snyk doesn't reach — including the dvja command‑injection + IDOR account‑takeover chain where Tier‑1 alone found just one bug. These are advisory — flagged for a human to review, not used to gate or fail a build.
    • Net, on OWN‑CODE security coverage, Gadriel + Tier‑2 reaches an access‑control layer Snyk doesn't. That claim is scoped deliberately: it is about your source code, not dependencies, and it means surfaced coverage, not enforcement. Snyk keeps its own leads — Snyk Code still leads raw Java/JS SAST breadth, and Snyk Open Source still leads npm dependency‑CVE depth (76 unique on NodeGoat). Snyk Code is a mature, genuine data‑flow analyzer and keeps that credit. What it does not have is a local self‑verify‑plus‑hunt layer: Snyk DeepCode AI calls Snyk's own cloud model and uploads your source; Gadriel's Tier‑2 runs your local LLM with nothing leaving the machine, and that is the layer that closes the IDOR/authz family here.

    Two strong scanners. One sends your code to a SaaS. The other never leaves your machine — and finishes the whole job in one command.

    The bottom line

    Let's be fair to Snyk, because it earns it: Snyk is an excellent, mature cloud security platform. Snyk Code genuinely analyzes your source with real data‑flow tracing, and across these six apps it found the dangerous bugs — leading Gadriel outright on Java and JavaScript own‑code breadth and on npm dependency CVEs. It has a large, well‑curated vulnerability database, automatic fix suggestions, a polished developer experience, and broad integrations. If you want a cloud platform and code upload is acceptable, Snyk is a strong choice.

    Here's where Gadriel is the better fit:

    • Your code stays private — analyzed locally, never uploaded, works fully offline.
    • It does the whole job in one tool — code, dependencies, secrets, containers, config, and AI risks in a single pass — and its local SCA completed on repos where Snyk's needed a build it didn't have.
    • It's precise — firing on genuinely injectable code and leaving safe rewrites alone.
    • It understands AI‑era code — OWASP‑LLM coverage a general‑purpose scanner lacks.
    • It learns — more accurate for your codebase over time.
    • It's audit‑ready and faster — SBOM + ten compliance frameworks every run, results in seconds, no cloud round‑trip.

    Security is the sharpest edge of this comparison, but it's one of eight pillars Gadriel validates in every scan alongside compliance, safety, operational, FinOps, coherence, teamwork, and bias.

    In one line: Snyk is a powerful, mature cloud security platform that leads on Java/JS breadth and dependency CVEs; Gadriel delivers comparable code‑bug detection while keeping your source private and local, running faster, staying precise, understanding AI code, and improving per‑codebase — all in a single tool.


    Test details: six first‑time scans of repositories Gadriel was never trained on — adeyosemanputra/pygoat, nVisium/django.nV, fportantier/vulpy, 0c34/govwa, appsecco/dvja, and OWASP/NodeGoat — measured on the test machine in July 2026. Gadriel 1.2.1; Snyk CLI 1.1306.0 (Snyk Code for SAST, snyk test for dependencies). Snyk Code analyzes source in Snyk's cloud; Gadriel runs 100% locally/offline. Snyk's dependency scanner requires a resolved/installed build and did not complete on django.nV, vulpy, or dvja; it ran cleanly on govwa (0 vulnerable Go modules) and NodeGoat (76 unique CVEs). Gadriel figures are raw first‑pass totals across all scan types. All findings were verified against source; all timings were measured on the test machine.