Ruby SAST

xgrep parses .rb into tree-sitter ASTs and ships roughly 50 rules, with coverage for Rails patterns and ERB templates. Detection here is mostly precise structural matching, with taint mode reserved for select flows.

xgrep scan --include '*.rb' .

What xgrep detects

Injection — sql-injection, pg-injection, command-injection, code-injection, header-injection, format-string, log-injection.

Cross-site scripting — xss, erb-unescaped-output, erb-inline-js-injection, erb-tainted-output.

Mass assignment — mass-assignment (unfiltered attribute binding into models).

Deserialization & XML — unsafe-deserialization, xxe.

SSRF, redirects & MITM — ssrf, open-redirect, mitm.

Path traversal & files — path-traversal, file-permissions.

Auth & CSRF — csrf, sensitive-get (state-changing GET), weak-cookie-configuration.

Crypto & TLS — weak-cipher, insecure-tls, disabled-cert-validation, cleartext-storage, timing-attack-string-comparison.

Availability (DoS) — regex-dos, redos, decompression.

Supply chain & backdoors — backdoor, hidden-backdoor, insecure-source, untrusted-code, untrusted-input flag planted or untrusted code paths.

Correctness — variables-dead-store, variables-uninitialized-local, use-detect, database-query-in-loop (run with --category correctness).

Taint analysis

A small number of rules use taint mode for the highest-value flows; most Ruby/Rails rules match precise structural patterns (controller params, ERB output, ActiveRecord queries), which is the reliable signal for these idioms.

See also Secrets scanning and the CLI reference.