Code Scanning

Supported Languages

Languages with tree-sitter AST matching, and the generic/text files matched with regex patterns.

Supported Languages

This page is the raw parser/extension matrix. For what xgrep actually detects in each language — the vulnerability classes, frameworks, and taint coverage — see SAST by language.

Tree-sitter languages (full AST matching)

LanguageExtensions
Python.py, .pyi
Go.go
Java.java
JavaScript.js, .jsx, .mjs, .cjs
TypeScript.ts
TSX.tsx
Ruby.rb
PHP.php
C.c, .h
C++.cc, .cpp, .cxx, .hpp
C#.cs
Rust.rs
Kotlin.kt, .kts
Scala.scala, .sc
Bash.sh, .bash, .zsh
Lua.lua
Julia.jl
OCaml.ml, .mli
HTML.html, .htm, .vue
JSON.json
YAML.yaml, .yml
XML.xml
HCL.tf, .hcl
DockerfileDockerfile
Swift.swift

Newer AST languages

These languages also parse to a tree-sitter AST, so structural matching is available. Their bundled rule coverage is lighter and still largely pattern-regex, but rules can be (and are being) authored as AST patterns.

LanguageExtensions
Solidity.sol
Dart.dart
R.r, .R
Elixir.ex, .exs
Erlang.erl, .hrl
Clojure.clj, .cljs, .cljc
Scheme.scm, .ss
Lisp.lisp, .cl
GroovyJenkinsfile

Regex-only matching

Only generic/text files (.txt, .tpl, .ejs, .mustache, .move, .generic) are matched purely with regex patterns — there is no grammar for them, so AST-specific features (precise structural matching, typed metavariables) are unavailable.

On this page