Code Scanning — Static Application Security Testing (SAST)
Run xgrep's SAST (static application security testing) engine against your code — taint and dataflow analysis that traces untrusted input to dangerous sinks, plus output formats, supported languages, Semgrep parity, and custom rules.
Code Scanning (SAST)
xgrep's static application security testing (SAST) engine — also known as static code analysis — scans your source code for security vulnerabilities and correctness bugs. It combines a large built-in rule corpus with taint and dataflow analysis that follows untrusted input from source to dangerous sink, so it reports vulnerabilities that are actually reachable, not just pattern matches. It runs with zero configuration:
xgrep scan .This section covers running a scan and authoring rules:
- CLI reference — flags and subcommands.
- Output formats — text, JSON, SARIF, and GitLab SAST.
- CBOM — generate a CycloneDX 1.6 Cryptography Bill of Materials.
- Supported languages — tree-sitter and generic/text coverage.
- SAST by language — what xgrep detects in each language.
- File filtering — which files get scanned and how to control it.
- Semgrep compatibility — parity with OpenGrep/Semgrep.
- Rules — the built-in corpus and how to write your own.
Looking for something other than vulnerabilities in your code? xgrep also finds committed credentials (Secrets, on by default) and, in the same
xgrep scanrun, known vulnerabilities in your third-party packages (Dependencies — needs a Mondoo service account;--no-dep-scanopts out).
Common recipes
# Default: run the built-in security + secrets rules over a directory
xgrep scan <target>
# High-signal, exploitable-only scan — recommended when embedding xgrep or
# scanning a focused executable surface (e.g. an AI-agent skill).
# Drops hardening/advisory findings (--subcategory vuln) and non-source trees
# such as tests/benchmarks/examples (--xgrepignore).
xgrep scan --category security --subcategory vuln --xgrepignore <target>
# Scan only what a pull request changed
xgrep scan --baseline-commit origin/main <target>
# Machine-readable output for tooling / CI
xgrep scan --json <target>
# Stream findings as NDJSON during the scan, so editors/tools show results
# progressively instead of waiting for the whole scan to finish.
xgrep scan --json --stream <target>See the CLI reference for the
vuln vs audit tiers, File filtering for --xgrepignore, and
Rules to filter the built-in corpus or author your own.