AI-tool risk delta

For every AI-authored commit in the recent history window, Vulkro walks the file-by-file diff and reports:

New sink categories reached. A file that did not reach a classified critical sink (SQL, shell, HTTP egress, payment, LLM, file-write, deserialization, email) before the commit now does.
New third-party imports. A package newly imported in this commit. Catches typo-squat introductions and unauthorized dependency adds.
Function parameter surface expansion. A function whose parameter count grew (foo (2 -> 4)). Often the shape that adds untrusted input without validation.

The output is a digest, not per-line findings. The CLI renders it as markdown; the desktop console hosts a tab.

What commits count as AI-authored?

Vulkro classifies a commit as AI-authored when any of these markers appear in the commit subject, body, or author field:

Co-Authored-By: Claude, Generated with Claude, @anthropic-generated -> Claude
GitHub Copilot, copilot-generated, @copilot -> Copilot
cursor.sh, @cursor-generated -> Cursor
aider:, // aider -> Aider
Generated by ChatGPT, OpenAI gpt- -> ChatGPT
ai-generated, generated by ai, # generated by -> generic AI

A commit can match multiple markers; the first match wins.

Cursor introduced 3 new SQL sinks in auth_service.py since Mar 4.

The report renders as a markdown table per commit, grouped by AI tool, sorted by file delta count.

The defender-side narrative for AI-generated code is that AI is fast but not careful. The risk delta surfaces the gap:

The report is the artifact a security team can hand to a sceptical engineering lead.

Flag	Default
`--ai-risk-delta`	off
`--ai-risk-delta-commits N`	50
`--ai-risk-delta-format markdown\|json`	markdown

--ai-code-segregation for the per-tool finding breakdown of the current scan (not the delta).
--attest-reviewed --reviewer <name> to mark every finding on an AI-touched file with a reviewer attestation.