Kotlin SAST
What xgrep detects in Kotlin — injection, XSS, unsafe deserialization, weak crypto, insecure TLS, open redirect, and ReDoS — for Android apps and JVM backends.
Kotlin SAST
xgrep parses .kt / .kts into tree-sitter ASTs and ships 14 rules, 8 of them
taint-based, covering both Android apps and JVM server code (Ktor, Spring).
xgrep scan --include '*.kt' .What xgrep detects
Injection — sql-injection (SQLite rawQuery/execSQL and JDBC),
command-injection (Runtime.exec / ProcessBuilder), code-injection
(ScriptEngine.eval, Groovy).
Cross-site scripting — reflected-xss: request input written to a servlet
response, a Ktor respondText(..., ContentType.Text.Html), or an Android
WebView.loadData.
Open redirect — open-redirect: untrusted input flowing into
sendRedirect / Ktor respondRedirect, with relative-path and allowlist guards
recognised.
SSRF — ssrf: tainted URLs reaching URL.openConnection/OkHttp.
Deserialization — unsafe-deserialization: ObjectInputStream.readObject,
SnakeYAML load, and XStream fromXML.
Path traversal — path-traversal.
Crypto — weak-cipher (DES/ECB/Blowfish), weak-hash (MD5/SHA-1),
insecure-random (a non-CSPRNG used for a token/key/nonce/salt).
TLS — trust-all-certificates: an X509TrustManager with an empty
checkServerTrusted, or a HostnameVerifier that always returns true.
Regex / DoS — regex-injection: untrusted input compiled as a regular
expression (ReDoS), suppressed when Regex.escape / Pattern.quote is applied.
Android — webview-js-interface: addJavascriptInterface exposed to
untrusted content.
Taint analysis
8 rules use taint mode: untrusted input — a
servlet parameter/header, a Ktor request header, or an Android Intent extra —
must reach a dangerous sink before the rule fires, and recognised sanitizers
(HTML-encoders, Pattern.quote/Regex.escape, type conversions) stop the flow.
See also Secrets scanning and the CLI reference.