Code Scanning

Code Scanning — Static Application Security Testing (SAST)

Run xgrep's SAST (static application security testing) engine against your code — taint and dataflow analysis that traces untrusted input to dangerous sinks, plus output formats, supported languages, Semgrep parity, and custom rules.

Code Scanning (SAST)

xgrep's static application security testing (SAST) engine — also known as static code analysis — scans your source code for security vulnerabilities and correctness bugs. It combines a large built-in rule corpus with taint and dataflow analysis that follows untrusted input from source to dangerous sink, so it reports vulnerabilities that are actually reachable, not just pattern matches. It runs with zero configuration:

xgrep scan .

This section covers running a scan and authoring rules:

Looking for something other than vulnerabilities in your code? xgrep also finds committed credentials (Secrets, on by default) and, in the same xgrep scan run, known vulnerabilities in your third-party packages (Dependencies — needs a Mondoo service account; --no-dep-scan opts out).

Common recipes

# Default: run the built-in security + secrets rules over a directory
xgrep scan <target>

# High-signal, exploitable-only scan — recommended when embedding xgrep or
# scanning a focused executable surface (e.g. an AI-agent skill).
# Drops hardening/advisory findings (--subcategory vuln) and non-source trees
# such as tests/benchmarks/examples (--xgrepignore).
xgrep scan --category security --subcategory vuln --xgrepignore <target>

# Scan only what a pull request changed
xgrep scan --baseline-commit origin/main <target>

# Machine-readable output for tooling / CI
xgrep scan --json <target>

# Stream findings as NDJSON during the scan, so editors/tools show results
# progressively instead of waiting for the whole scan to finish.
xgrep scan --json --stream <target>

See the CLI reference for the vuln vs audit tiers, File filtering for --xgrepignore, and Rules to filter the built-in corpus or author your own.

On this page