SAST by Language

xgrep scans with language-aware, AST-based rules (tree-sitter), and follows untrusted input to dangerous sinks with taint analysis. Coverage is deepest in the languages below; see Supported languages for the full parser/extension matrix, including the regex-only languages.

You don't pick a language — xgrep detects it from the file extension and runs the matching rules automatically. The pages here describe what each language ruleset finds.

Coverage at a glance

Rule counts are the built-in security and correctness rules and grow over time; secrets detection runs across all of these languages on top.

Infrastructure & configuration

xgrep also scans the files that configure and ship your code, where a single misconfiguration is often the whole vulnerability:

• Terraform / HCL (.tf, .hcl) — insecure cloud resources and misconfigurations.
• Dockerfile — risky base images, root users, and build-time secret exposure.
• GitHub Actions (.github/workflows/*.yml) — workflow injection, unpinned actions, and over-broad token permissions.
• Bash (.sh, .bash) — command injection and unsafe pipeline patterns.
• XML (.xml) — XXE-prone parser configuration.

Scoping a scan to one language

A scan runs every matching ruleset, but you can narrow it:

xgrep scan --include '*.go' .          # only Go files
xgrep scan --include 'src/**/*.ts' .   # a glob subtree
xgrep scan --lang python -             # force a language (useful with --stdin)

See File filtering for --include/--exclude and the CLI reference for --lang.