taint_analysis
Track untrusted data from sources like HTTP params to dangerous sinks such as SQL queries. Reports unsanitized flows with CWE IDs and fix suggestions for security triage.
Instructions
Track flow of untrusted data from sources (HTTP params, env vars, file reads) to dangerous sinks (SQL queries, exec, innerHTML, redirects). Framework-aware: knows Express req.params, Laravel $request->input, Django request.GET, FastAPI Query(), etc. Reports unsanitized flows with CWE IDs and fix suggestions. Type-aware: flows that terminate at a provably non-string value (numeric/boolean coercion such as Math.floor(), (int) casts, comparison results) are pruned, since a string-injection sink cannot be exploited by a number/boolean. Heuristic, regex-based intra/inter-procedural analysis — not a sound dataflow engine; treat results as triage. Use for data-flow security analysis. For pattern-based OWASP scanning use scan_security instead. Read-only. Returns JSON: { flows: [{ source, sink, path, sanitized, cwe, suggestion }], total }.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| limit | No | Max flows to return (default: 100) | |
| scope | Yes | Directory to scan (default: whole project) | |
| sinks | No | Filter by sink kinds (default: all) | |
| sources | No | Filter by source kinds (default: all) | |
| include_sanitized | No | Include flows with sanitizers (default: false) |