Code Scanning
Supported Languages
Languages with tree-sitter AST matching, and the generic/text files matched with regex patterns.
Supported Languages
This page is the raw parser/extension matrix. For what xgrep actually detects in each language — the vulnerability classes, frameworks, and taint coverage — see SAST by language.
Tree-sitter languages (full AST matching)
| Language | Extensions |
|---|---|
| Python | .py, .pyi |
| Go | .go |
| Java | .java |
| JavaScript | .js, .jsx, .mjs, .cjs |
| TypeScript | .ts |
| TSX | .tsx |
| Ruby | .rb |
| PHP | .php |
| C | .c, .h |
| C++ | .cc, .cpp, .cxx, .hpp |
| C# | .cs |
| Rust | .rs |
| Kotlin | .kt, .kts |
| Scala | .scala, .sc |
| Bash | .sh, .bash, .zsh |
| Lua | .lua |
| Julia | .jl |
| OCaml | .ml, .mli |
| HTML | .html, .htm, .vue |
| JSON | .json |
| YAML | .yaml, .yml |
| XML | .xml |
| HCL | .tf, .hcl |
| Dockerfile | Dockerfile |
| Swift | .swift |
Newer AST languages
These languages also parse to a tree-sitter AST, so structural matching is available.
Their bundled rule coverage is lighter and still largely pattern-regex, but rules can
be (and are being) authored as AST patterns.
| Language | Extensions |
|---|---|
| Solidity | .sol |
| Dart | .dart |
| R | .r, .R |
| Elixir | .ex, .exs |
| Erlang | .erl, .hrl |
| Clojure | .clj, .cljs, .cljc |
| Scheme | .scm, .ss |
| Lisp | .lisp, .cl |
| Groovy | Jenkinsfile |
Regex-only matching
Only generic/text files (.txt, .tpl, .ejs, .mustache, .move, .generic)
are matched purely with regex patterns — there is no grammar for them, so AST-specific
features (precise structural matching, typed metavariables) are unavailable.