VEXLIT's SAST engine analyzes your code at the AST level - tracking data flow from source to sink, recognizing sanitizers, and filtering noise. The result: high-confidence findings you can act on immediately.
Most SAST tools flood developers with hundreds of alerts, 80% of which are false positives. Teams waste hours triaging phantom vulnerabilities while real risks slip through. VEXLIT takes a different approach.
80%
of SAST alerts are false positives industry-wide
~3%
false positive rate with VEXLIT's AST analysis
6,200+
security rules across 34 languages
Watch how VEXLIT traces data flow from user input to dangerous operations - detecting vulnerabilities that pattern-matching tools miss.
req.query.id"SELECT * FROM users WHERE id=" + iddb.query(sql)Not just pattern matching - VEXLIT parses your code into an Abstract Syntax Tree and traces data flow from user input (sources) through transformations to dangerous operations (sinks). If the data is sanitized along the way, it's not flagged.
Track tainted variables across function calls, file imports, and module boundaries. When getUserInput() flows through processData() into executeQuery(), VEXLIT follows the entire chain.
55+ sanitizer patterns recognized out of the box. DOMPurify.sanitize(), parseInt(), html.escape(), shlex.quote() - if your code properly sanitizes input, VEXLIT won't flag it.
SQL Injection, XSS, Command Injection, Path Traversal, SSRF, Insecure Crypto, Prototype Pollution, and more. Every rule maps to CWE identifiers and OWASP categories.
Every file is parsed into an Abstract Syntax Tree using Tree-sitter. Not regex - real structural analysis that understands your code's syntax.
Tainted variables (user input, external data) are tracked across assignments, function calls, and module boundaries using interprocedural analysis.
When tainted data reaches a dangerous operation (db.query, exec, innerHTML) without sanitization, a high-confidence vulnerability is reported.
Each finding includes a context-aware fix: parameterized queries for SQLi, DOMPurify for XSS, execFile for command injection. Copy-paste ready.
Tree-sitter + @typescript-eslint for JS/TS, tree-sitter for Python - full AST parsing, not regex-only
Interprocedural taint analysis with source→variable→sink tracking across function boundaries
55+ sanitizer patterns: DOMPurify, parseInt, html.escape, shlex.quote, parameterized queries
34 languages: JS/TS, Python, Java, Go, C#, PHP, Ruby, Rust, Kotlin, Swift, Scala + IaC
Confidence scoring combines rule weight (0.95/0.75/0.50) with taint reachability analysis
SARIF output for GitHub Security tab integration and CI/CD pipeline reporting
Start scanning in seconds - no credit card, no setup, just results.