I've tried this Zarn on a non-trivial codebase at $work, and I'm sorry, but in its present form it is worse than useless.

First, it only reports the file name and the purported "vulnerability", but no context, not even a line number.

Second, it seems to flags most files, some even multiple times with "Path Traversal" or "Code Injection". It doesn't tell what these are, but looking at the default.yaml rules file (the only one that has actual content):

  - id: '0002'
    category: vuln
    name: Code Injection
    message: 
    sample:
      - system
      - eval
      - exec
  - id: '0003'
    category: vuln
    name: Path Traversal
    message: 
    sample:
      - open
[download]

it appears that it flags every single occurrence of these keywords as a vulnerability, which is ridiculous. An open() with a known, static filename is not a path traversal vulnerability, nor is a block eval (to catch exceptions) a code injection.