SAST by Language
What xgrep detects in each language — JavaScript/TypeScript, Java, C#, Python, Go, Ruby, Swift — plus infrastructure and config files.
SAST by Language
xgrep scans with language-aware, AST-based rules (tree-sitter), and follows untrusted input to dangerous sinks with taint analysis. Coverage is deepest in the languages below; see Supported languages for the full parser/extension matrix, including the newer AST and generic/text languages.
You don't pick a language — xgrep detects it from the file extension and runs the matching rules automatically. The pages here describe what each language ruleset finds.
Coverage at a glance
| Language | Extensions | Frameworks covered | Taint rules | Rules |
|---|---|---|---|---|
| JavaScript / TypeScript | .js .jsx .mjs .cjs .ts .tsx | Express, Node.js | 35 | ~200 |
| Java | .java | Spring, Android, JSP/Jakarta | 37 | ~180 |
| C# | .cs | ASP.NET, Razor | 4 | ~150 |
| Python | .py .pyi | Django, Flask | 20 | ~90 |
| Go | .go | net/http, database/sql, crypto/tls | 16 | ~60 |
| Ruby | .rb | Rails, ERB | 2 | ~50 |
| Swift | .swift | iOS / Cocoa | 10 | ~30 |
| Kotlin | .kt .kts | Android, Ktor, Spring | 8 | ~14 |
Rule counts are the built-in security and correctness rules and grow over time; secrets detection runs across all of these languages on top.
Infrastructure & configuration
xgrep also scans the files that configure and ship your code, where a single misconfiguration is often the whole vulnerability:
- Terraform / HCL (
.tf,.hcl) — insecure cloud resources and misconfigurations. - Dockerfile — risky base images, root users, and build-time secret exposure.
- GitHub Actions (
.github/workflows/*.yml) — workflow injection, unpinned actions, and over-broad token permissions. - Bash (
.sh,.bash) — command injection and unsafe pipeline patterns. - XML (
.xml) — XXE-prone parser configuration.
Infrastructure as Code (IaC)
xgrep focuses on application source and the config that ships alongside it. It scans the IaC formats above where they overlap with source-level analysis — Terraform/HCL syntax and resource misconfigurations, Dockerfile build hygiene, and GitHub Actions workflow security — but it is not a general-purpose IaC posture scanner.
For broader Infrastructure as Code, cnspec is the primary tool. It evaluates IaC as policy-as-code (MQL), covering formats xgrep does not parse:
- Terraform — plans, state, and HCL, checked against compliance frameworks (CIS, etc.).
- Kubernetes manifests and Helm charts.
- AWS CloudFormation templates.
- Azure Bicep / ARM templates.
- Ansible playbooks.
The two are complementary: run xgrep for SAST, secrets, and dependency findings on your repository; run cnspec for IaC and runtime/cloud security posture. When reporting to Mondoo Platform, xgrep's findings land on the same asset alongside cnspec's, giving one combined view.
Scoping a scan to one language
A scan runs every matching ruleset, but you can narrow it:
xgrep scan --include '*.go' . # only Go files
xgrep scan --include 'src/**/*.ts' . # a glob subtree
xgrep scan --lang python - # force a language (useful with --stdin)See File filtering for --include/--exclude and the
CLI reference for --lang.