Skip to main content
CodeThreat uses OpenGrep (our enhanced fork of Semgrep) combined with ShiftQL’s intelligent analysis to provide comprehensive static application security testing across 27+ languages with 1,740+ security rules.

Supported Languages

Primary Languages (Deep Coverage)

LanguageRulesFrameworks SupportedCoverage
Python334Django, Flask, FastAPI, PyramidOWASP Top 10, CWE Top 25
Terraform362AWS, Azure, GCP, KubernetesInfrastructure security
JavaScript173React, Vue, Angular, Express, Node.jsFrontend & backend
Java121Spring, Jakarta EE, Struts, PlayEnterprise applications
TypeScript30React, Angular, Next.js, NestJSModern web apps
Go76Gin, Echo, Fiber, standard libraryCloud-native apps
Ruby92Rails, Sinatra, GrapeWeb applications
PHP61Laravel, Symfony, WordPress, DrupalCMS and web apps
C#51ASP.NET, .NET Core, Entity FrameworkWindows & cross-platform

Additional Languages

LanguageRulesUse Cases
YAML/Kubernetes120K8s manifests, Helm charts, docker-compose
Scala27Play Framework, Akka, Spark
Solidity50Smart contracts, DeFi, blockchain
Kotlin14Android, Spring Boot, server-side
Rust10Systems programming, web services
Swift4iOS, macOS applications
Elixir7Phoenix Framework
OCaml23Functional programming
Bash/Shell6Scripts, DevOps automation
C/C++16Systems programming
Apex18Salesforce development
Clojure5JVM functional programming
Dockerfile35Container security
HTML6Template security
JSON4Configuration security

Generic Rules

37 problem-based rules that work across all languages:
  • Hardcoded secrets
  • Insecure random number generation
  • Weak cryptography
  • Insecure deserialization
  • And more
25 AI-specific rules for emerging AI/ML security concerns

Framework-Specific Detection

Web Frameworks

Python:
  • Django ORM injection detection
  • Flask template injection
  • FastAPI security misconfigurations
  • Pyramid authorization flaws
JavaScript/TypeScript:
  • React XSS and dangerouslySetInnerHTML
  • Vue.js template injection
  • Express.js route security
  • Next.js API route vulnerabilities
Java:
  • Spring Security misconfigurations
  • Hibernate/JPA injection
  • Jakarta EE authentication flaws
  • Struts OGNL injection
Ruby:
  • Rails mass assignment
  • ActiveRecord SQL injection
  • Sinatra route security
  • Rails CSRF bypass
PHP:
  • Laravel query injection
  • Symfony security component misuse
  • WordPress plugin vulnerabilities
  • Drupal access control
Go:
  • Gin parameter injection
  • Echo template rendering
  • Standard library SQL issues
  • Goroutine race conditions

Mobile Frameworks

iOS (Swift):
  • KeyChain misuse
  • Insecure data storage
  • SSL pinning issues
Android (Kotlin/Java):
  • Intent injection
  • WebView security
  • SharedPreferences exposure

Vulnerability Categories

OWASP Top 10 (2021) Coverage

OWASP 2021 CategoryDetectionRule CountExamples
A01: Broken Access Control✅ Full100+Missing authorization, IDOR, path traversal, privilege escalation
A02: Cryptographic Failures✅ Full80+MD5/SHA1 usage, weak crypto, hardcoded secrets, insecure random
A03: Injection✅ Full400+SQL, NoSQL, Command, LDAP, XPath, XML, OS command injection
A04: Insecure Design✅ Partial50+Missing rate limiting, trust boundary violations, security anti-patterns
A05: Security Misconfiguration✅ Full150+Debug enabled, defaults, CORS, headers, verbose errors
A06: Vulnerable Components⚠️ SCA Tool-Use Trivy SCA for dependency vulnerabilities
A07: Auth/Session Failures✅ Full90+Broken auth, session fixation, weak passwords, missing MFA
A08: Data Integrity Failures✅ Full70+Insecure deserialization (Pickle, YAML, JSON), unsigned JWTs
A09: Logging Failures✅ Partial30+Credentials in logs, insufficient logging, sensitive data exposure
A10: SSRF✅ Full40+Server-side request forgery, unsafe URL construction
Compliance: Rules tagged with OWASP 2017 and OWASP 2021 categories

CWE Top 25 Coverage

CodeThreat detects CWE Top 25 (2021 & 2022) most dangerous software weaknesses: Complete coverage of CWE Top 25 including: Injection (CWE-74):
  • CWE-89: SQL Injection
  • CWE-78: OS Command Injection
  • CWE-79: Cross-Site Scripting
  • CWE-91: XML Injection
  • CWE-943: NoSQL Injection
Cryptography (CWE-310):
  • CWE-327: Broken/Risky Crypto
  • CWE-328: Weak Hash
  • CWE-330: Weak Random
  • CWE-331: Insufficient Entropy
  • CWE-326: Inadequate Encryption
Authentication (CWE-287):
  • CWE-287: Improper Authentication
  • CWE-306: Missing Authentication
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-798: Use of Hard-coded Credentials
Authorization (CWE-285):
  • CWE-285: Improper Authorization
  • CWE-862: Missing Authorization
  • CWE-863: Incorrect Authorization
Additional CWE Coverage:
  • CWE-79: Cross-Site Scripting
  • CWE-22: Path Traversal
  • CWE-416: Use After Free
  • CWE-434: Unrestricted Upload
  • CWE-352: CSRF
  • CWE-601: Open Redirect
  • And 100+ more CWE categories
Compliance Tags: Rules are tagged with CWE-2021-Top-25 and CWE-2022-Top-25 for prioritization

Language-Specific Vulnerabilities

Python-Specific

✅ Django template injection
✅ Pickle deserialization
✅ Eval/exec code execution
✅ YAML unsafe load
✅ Flask Jinja2 SSTI
✅ SQLAlchemy injection
✅ subprocess shell injection

JavaScript/TypeScript-Specific

✅ Prototype pollution
✅ RegExp DoS
eval() and Function() usage
innerHTML XSS
✅ Express route parameter injection
✅ JWT algorithm confusion
✅ Path traversal

Java-Specific

✅ Deserialization of untrusted data
✅ JNDI injection (Log4Shell-style)
✅ Spring SpEL injection
✅ XML External Entity (XXE)
✅ JDBC SQL injection
✅ Reflection abuse

Go-Specific

✅ SQL injection in database/sql
✅ Command injection in exec.Command
✅ Path traversal
✅ Unsafe reflection
✅ Race conditions

Infrastructure as Code

Terraform (362 rules): ✅ Public S3 buckets
✅ Unencrypted storage
✅ Overly permissive IAM
✅ Missing security groups
✅ Insecure network configs Kubernetes/YAML (120 rules): ✅ Privileged containers
✅ Host network access
✅ Missing resource limits
✅ Insecure volume mounts
✅ Exposed secrets Dockerfile (35 rules): ✅ Running as root
✅ Vulnerable base images
✅ Exposed secrets
✅ Missing health checks

Blockchain/Smart Contracts

Solidity (50 rules): ✅ Reentrancy vulnerabilities
✅ Integer overflow/underflow
✅ Unchecked external calls
✅ Access control issues
✅ Gas optimization

Compliance and Standards

OWASP Top 10 (2021): Full coverage of all 10 categories with 1,000+ relevant rules CWE Top 25: Complete coverage of most dangerous weaknesses (2021 & 2022 lists) SANS Top 25: Aligned with SANS/CWE Most Dangerous Software Errors Rules are tagged with compliance standards for easy filtering and reporting.
While CodeThreat doesn’t have specific PCI-DSS or HIPAA rule sets, our OWASP Top 10 and CWE coverage addresses the security requirements mandated by these compliance frameworks.

What Makes Our SAST Different

1,740+ Rules: More coverage than most commercial tools OpenGrep + ShiftQL: We enhanced Semgrep with our own intelligence layer Framework-Aware: Understands Django ORM, React escaping, Spring Security, Rails protections Low False Positives: Rules tuned for precision, then AI filters context-aware Continuous Updates: New rules added weekly for emerging vulnerability patterns
Enable SAST scanning to catch code-level vulnerabilities before they reach production. Most findings can be fixed in minutes once identified.

What’s Next?

SCA Support Matrix

Dependency scanning coverage

Run Your First Scan

Start scanning for vulnerabilities

Scan Types Explained

Understanding SAST, SCA, Secrets, IaC