GCA · LANGUAGE GUIDES

    Language & Ecosystem Support

    Which languages get deep support, dependency-only support, or heuristics.

    Language & Ecosystem Support

    Gadriel Code's language support is not uniform. A language can have any of three independent capabilities, and honest depth means being clear about which ones a given language actually has:

    • SAST front-end — a tree-sitter-backed extractor that parses source into an AST and runs structural rules (ast_call, ast_assign, ast_string, ast_import, ast_missing).
    • Taint / dataflow engine — source→sink taint propagation, including parameter-bound and (for most engines) cross-file workspace tracking.
    • SCA — dependency analysis driven by the language's lockfiles/manifests (independent of SAST; a language can have SCA without a deep SAST rule set).

    Front-ends and engines existing in the codebase is not the same as deep rule coverage. The GVL rule catalogue (shipped separately) is what turns an engine into findings, and it is deep only for the primary languages.


    SAST capability matrix

    LanguageSAST front-endTaint / dataflowNotes on depth
    Python✅ (workspace)Primary language. Deepest rule catalogue; parameter-bound taint.
    JavaScript✅ (workspace)Primary. Shares the front-end with TypeScript.
    TypeScript✅ (workspace)Primary. Uses the JavaScript extractor/taint engine.
    Go✅ (workspace)Primary. Dedicated Go taint analyzer with entry-point policy.
    Java✅ (workspace)Dedicated Java taint analyzer.
    C✅ (precision engine)Compile-DB scoped + guard-aware dataflow (see below).
    C++✅ (precision engine)Same precision engine as C.
    PHP✅ (workspace)Dedicated PHP taint analyzer.
    Ruby⚠️ front-end onlyAST extraction present; no dedicated taint engine.
    Rust✅ engine presentMinimal SAST rule coverage — see below.
    Kotlin⚠️ early-stageEarly-stage extractor; structural matching only.
    Swift⚠️ early-stageEarly-stage extractor; structural matching only.
    MarkdownText/structural extraction (e.g. embedded prompts/snippets); no taint.

    Legend: ✅ shipped · ⚠️ present but limited · ❌ not available.

    The C/C++ precision engine

    C and C++ get more than a generic taint pass. A compile_commands.json compile-database loader scopes analysis to real translation units (excluding files that are not part of the actual build), and a guard-aware dataflow analysis models conditional guards to reduce false positives. This is the most precise dataflow front-end in the scanner.

    Honest notes

    • Rust. The Rust SAST front-end (rust.rs) and a substantial Rust taint engine (taint_rs, including workspace-level tracking) both exist and are wired into the scanner — Rust is not unsupported at the engine level. However, the shipped GVL rule catalogue for Rust is minimal (only a handful of rules today), so in practice Rust produces far fewer SAST findings than the primary languages. Config and GitHub Actions scanning still apply to Rust projects normally, and Rust dependencies are fully covered by SCA (see Cargo below).
    • Ruby. Has an AST front-end for structural rules but no dedicated taint engine, so dataflow-based rules do not fire on Ruby.
    • Kotlin & Swift. Early-stage extractors that mirror the JavaScript extractor shape (call / string / assign). Treat their SAST coverage as preliminary.
    • Markdown. Included as a front-end so that embedded content (e.g. system prompts or code snippets in docs) can be inspected structurally; it has no dataflow.

    SCA ecosystem matrix

    SCA is independent of SAST depth. A project written in a language with thin SAST rules still gets full dependency analysis if its ecosystem has a manifest parser. Vulnerabilities are matched against OSV; licenses and dependency health are evaluated per the policy bundle.

    EcosystemManifests / lockfiles parsed
    Pythonrequirements.txt, requirements lockfiles, Pipfile.lock, poetry.lock, pyproject.toml, uv.lock
    JavaScript / Nodepackage-lock.json, yarn.lock, pnpm-lock.yaml
    RustCargo.lock
    Gogo.mod / go.sum
    Javapom.xml (Maven), Gradle lockfiles
    PHPcomposer.lock
    RubyGemfile.lock
    .NETNuGet packages.lock.json
    C / C++Conan lockfiles

    See scan-coverage.md for what SCA does with these (reachability confirmation, license, health) and its scope limits.


    Choosing what to expect per language

    • Python / JavaScript / TypeScript / Go / Java / C / C++ / PHP — full SAST with taint plus SCA. These are the languages where Gadriel Code delivers its deepest analysis.
    • Rust — full SCA and Config/CI-CD coverage; SAST engine present but thin rule coverage today.
    • Ruby — structural SAST plus SCA; no dataflow.
    • Kotlin / Swift — preliminary SAST; SCA depends on the underlying build ecosystem (Gradle for Kotlin/JVM).
    • Markdown — structural inspection only.