SAST · Secrets · SBOM
Real findings, not noise.
Built for AI agents.
A free, Semgrep-compatible security scanner. Tree-sitter AST analysis with cross-file taint tracking, 270+ secret detectors, and CycloneDX/SPDX SBOMs — a single binary that drops straight into your CI pipeline, or that your coding agent drives over MCP.
$ npx @mondoohq/xgrep scan ./src287 files · 1,000+ rules · secrets onCRITICAL sql-injection src/db/query.py:42 request.args → cursor.executeHIGH aws-access-key src/config.py:11WARNING weak-crypto src/auth/hash.py:283 findings · run `xgrep sbom .` for a CycloneDX SBOM
Three scanners. One tool.
xgrep unifies static analysis, secret detection, and software composition analysis — no separate tools, no runtime, no warm-up.
SAST that reports what's actually exploitable.
xgrep parses your code with tree-sitter and traces untrusted input from source to sink across files and functions. When it flags a vulnerability, it's real — not a style nit.
Vulnerability coverage
Every rule is mapped to CWE and the OWASP Top 10, and every finding ships with code context and remediation guidance. Infrastructure as code is covered too — Terraform/HCL, Dockerfiles, and GitHub Actions workflows.
rules:- id: sql-injectionpatterns:- pattern: cursor.execute($QUERY)- pattern-not: cursor.execute("...")message: Possible SQL injection via string formattingseverity: CRITICALlanguages: [python]
33 languages supported
Catch secrets before they ship — and the ones already leaked.
Secret scanning runs on every scan. 270+ provider-specific detectors match real key formats — prefixes, lengths, checksums — instead of guessing on entropy, so you get signal, not noise.
# Find secrets across full git history, with commit provenancexgrep scan --history --category secrets .# Decode base64/hex/gzip payloads to catch hidden keysxgrep scan --decode --category secrets .# Confirm which leaked keys are still livexgrep scan --validate --category secrets .
Well-known placeholder values (like AWS’s documentation keys) are filtered out, so examples never page you. Secrets are reported even in test paths, where real credentials most often slip through.
A complete software bill of materials, instantly.
Point xgrep at a repo and get a standards-compliant SBOM straight from your lockfiles — no build, no network, and no package manager required.
# CycloneDX SBOM written to a filexgrep sbom --format cyclonedx-json -o sbom.json .# SPDX, direct dependencies only, from a specific git tagxgrep sbom --format spdx-json --direct-only --ref v1.4.0 .
Your CI pipeline shouldn't wait for your scanner.
No interpreter to boot, no packages to install, no warm-up — and no AI agent or hosted backend required. SAST, secrets, and SBOM all run from one binary the moment CI calls it.
Built for the AI-native security workflow.
Traditional SAST dumps 500 findings. Your team ignores 400 of them. xgrep lets AI agents triage with full code context.
Traditional SAST
AI-Native SAST
# Install the bundled skills into Claude Codenpx @mondoohq/xgrep skill install
“xgrep does not embed an LLM. It gives your agent skills and tools.”
Works with your AI agent.
xgrep integrates as a backend skill for any coding agent — via MCP, CLI, or direct tool calls. Your agent scans, traces, and fixes without leaving the session.
First scan in 30 seconds.
Add xgrep as a backend skill for your coding agent, or run it directly.
Install as agent skill
# Claude Code — install the bundled skills# (triage, inspect, rule-creator, remediate, secure-coding)npx @mondoohq/xgrep skill install# Cursor / Windsurf / any MCP client{"mcpServers": {"xgrep": {"command": "npx","args": ["@mondoohq/xgrep", "mcp"]}}}
Run directly
# npx (zero install)npx @mondoohq/xgrep scan ./src# Or install globallynpm install -g @mondoohq/xgrep# Rules are built in — just point at your codexgrep scan ./src
Common commands
# Scan for vulnerabilities and secretsxgrep scan .# Diff-aware scan in CI (auto-detects the provider)xgrep ci# Generate a CycloneDX SBOMxgrep sbom --format cyclonedx-json -o sbom.json .# Scan git history for leaked secretsxgrep scan --history --category secrets .# Output SARIF for GitHub Code Scanningxgrep scan --sarif -o results.sarif .# Use custom rulesxgrep scan -f my-rules/ .
In your editor
The Mondoo VS Code extension runs xgrep’s language server for real-time, in-editor diagnostics, taint visualization, and quick fixes. Available on both the Visual Studio Marketplace and Open VSX (for VSCodium, Cursor, and Windsurf).