Agnech
Engine 2 of 7

SAST Analysis Engine

Deep static analysis using Abstract Syntax Trees, control flow graphs, and semantic modeling. Understands your code like a compiler does.

Overview

The SAST (Static Application Security Testing) Engine performs deep semantic analysis of your source code without executing it. Unlike pattern matching, SAST understands the structure and meaning of your code, enabling detection of complex vulnerabilities that span multiple files and functions.

Parsing

Source code is parsed into language-specific ASTs using tree-sitter grammars

Type Resolution

Types are inferred and resolved across module boundaries

Flow Analysis

Control and data flow graphs are constructed for each function

Vulnerability Mapping

Security rules are applied against the semantic model

AST Analysis

The engine parses source code into Abstract Syntax Trees using language-specific grammars. This preserves the full semantic structure while normalizing syntax variations.

JavaScript
1// Original Source Code
2function processUser(req) {
3  const id = req.params.id;
4  const user = db.query(`SELECT * FROM users WHERE id = ${id}`);
5  return user;
6}
7

8// AST Representation (simplified)
9{
10  "type": "FunctionDeclaration",
11  "name": "processUser",
12  "params": [{ "name": "req", "source": "http_request" }],
13  "body": [
14    {
15      "type": "VariableDeclaration",
16      "name": "id",
17      "init": {
18        "type": "MemberExpression",
19        "object": "req.params",
20        "taint": "user_controlled"  // Marked as tainted
21      }
22    },
23    {
24      "type": "VariableDeclaration",
25      "name": "user",
26      "init": {
27        "type": "CallExpression",
28        "callee": "db.query",
29        "arguments": [{
30          "type": "TemplateLiteral",
31          "contains_tainted": true,  // SQL Injection detected!
32          "sink": "sql_query"
33        }]
34      }
35    }
36  ]
37}

Control Flow Analysis

The engine builds control flow graphs (CFGs) to understand all possible execution paths through your code. This enables detection of vulnerabilities that only occur under specific conditions.

What Control Flow Analysis Detects

Dead Code
Unreachable code paths that may hide vulnerabilities
Incomplete Validation
Paths that bypass security checks
Error Handling Gaps
Exception paths that leak sensitive data
Race Conditions
Concurrent access without synchronization
Resource Leaks
Paths where resources aren't properly released
Null Dereferences
Paths where null checks are missing

Semantic Analysis

Beyond syntax, the engine performs semantic analysis to understand types, scopes, and the meaning of operations.

TypeScript
1// The SAST engine understands semantic context
2

3// Example 1: Type-aware analysis
4const config = getConfig();  // Returns SecurityConfig type
5config.enableCSRF = false;   // SAST flags: Disabling security feature
6

7// Example 2: Scope tracking
8function outer() {
9  const secret = process.env.API_KEY;
10

11  function inner() {
12    console.log(secret);  // SAST flags: Secret leaked to console
13  }
14}
15

16// Example 3: Cross-file analysis
17// file: auth.ts
18export function validateToken(token: string) {
19  return jwt.verify(token, SECRET);  // No algorithm specified
20}
21

22// file: api.ts
23import { validateToken } from './auth';
24app.use((req) => {
25  validateToken(req.headers.token);  // SAST traces vulnerability here
26});

Vulnerability Detection

VulnerabilitySeverityCWE
Null Pointer DereferencehighCWE-476
Resource LeakmediumCWE-772
Unvalidated RedirectmediumCWE-601
Insecure RandomnesshighCWE-330
Path TraversalhighCWE-22
Race ConditionmediumCWE-362

Language Support

TypeScript
JavaScript
Python
Java
Go
Rust
C/C++
Solidity

Language-Specific Rules

Each language has specialized rules that understand framework idioms. For example, React's dangerouslySetInnerHTML or Django's mark_safe.

Next Engine

SAST findings are enriched with dependency vulnerability data from the Dependencies Engine, connecting code issues to known CVEs.