Code ScanningSAST by Language

Kotlin SAST

What xgrep detects in Kotlin — injection, XSS, unsafe deserialization, weak crypto, insecure TLS, open redirect, and ReDoS — for Android apps and JVM backends.

Kotlin SAST

xgrep parses .kt / .kts into tree-sitter ASTs and ships 14 rules, 8 of them taint-based, covering both Android apps and JVM server code (Ktor, Spring).

xgrep scan --include '*.kt' .

What xgrep detects

Injectionsql-injection (SQLite rawQuery/execSQL and JDBC), command-injection (Runtime.exec / ProcessBuilder), code-injection (ScriptEngine.eval, Groovy).

Cross-site scriptingreflected-xss: request input written to a servlet response, a Ktor respondText(..., ContentType.Text.Html), or an Android WebView.loadData.

Open redirectopen-redirect: untrusted input flowing into sendRedirect / Ktor respondRedirect, with relative-path and allowlist guards recognised.

SSRFssrf: tainted URLs reaching URL.openConnection/OkHttp.

Deserializationunsafe-deserialization: ObjectInputStream.readObject, SnakeYAML load, and XStream fromXML.

Path traversalpath-traversal.

Cryptoweak-cipher (DES/ECB/Blowfish), weak-hash (MD5/SHA-1), insecure-random (a non-CSPRNG used for a token/key/nonce/salt).

TLStrust-all-certificates: an X509TrustManager with an empty checkServerTrusted, or a HostnameVerifier that always returns true.

Regex / DoSregex-injection: untrusted input compiled as a regular expression (ReDoS), suppressed when Regex.escape / Pattern.quote is applied.

Androidwebview-js-interface: addJavascriptInterface exposed to untrusted content.

Taint analysis

8 rules use taint mode: untrusted input — a servlet parameter/header, a Ktor request header, or an Android Intent extra — must reach a dangerous sink before the rule fires, and recognised sanitizers (HTML-encoders, Pattern.quote/Regex.escape, type conversions) stop the flow.

See also Secrets scanning and the CLI reference.

On this page