Language & Ecosystem Support
Gadriel Code's language support is not uniform. A language can have any of three independent capabilities, and honest depth means being clear about which ones a given language actually has:
- SAST front-end — a tree-sitter-backed extractor that parses source into
an AST and runs structural rules (
ast_call,ast_assign,ast_string,ast_import,ast_missing). - Taint / dataflow engine — source→sink taint propagation, including parameter-bound and (for most engines) cross-file workspace tracking.
- SCA — dependency analysis driven by the language's lockfiles/manifests (independent of SAST; a language can have SCA without a deep SAST rule set).
Front-ends and engines existing in the codebase is not the same as deep rule coverage. The GVL rule catalogue (shipped separately) is what turns an engine into findings, and it is deep only for the primary languages.
SAST capability matrix
| Language | SAST front-end | Taint / dataflow | Notes on depth |
|---|---|---|---|
| Python | ✅ | ✅ (workspace) | Primary language. Deepest rule catalogue; parameter-bound taint. |
| JavaScript | ✅ | ✅ (workspace) | Primary. Shares the front-end with TypeScript. |
| TypeScript | ✅ | ✅ (workspace) | Primary. Uses the JavaScript extractor/taint engine. |
| Go | ✅ | ✅ (workspace) | Primary. Dedicated Go taint analyzer with entry-point policy. |
| Java | ✅ | ✅ (workspace) | Dedicated Java taint analyzer. |
| C | ✅ | ✅ (precision engine) | Compile-DB scoped + guard-aware dataflow (see below). |
| C++ | ✅ | ✅ (precision engine) | Same precision engine as C. |
| PHP | ✅ | ✅ (workspace) | Dedicated PHP taint analyzer. |
| Ruby | ✅ | ⚠️ front-end only | AST extraction present; no dedicated taint engine. |
| Rust | ✅ | ✅ engine present | Minimal SAST rule coverage — see below. |
| Kotlin | ⚠️ early-stage | ❌ | Early-stage extractor; structural matching only. |
| Swift | ⚠️ early-stage | ❌ | Early-stage extractor; structural matching only. |
| Markdown | ✅ | ❌ | Text/structural extraction (e.g. embedded prompts/snippets); no taint. |
Legend: ✅ shipped · ⚠️ present but limited · ❌ not available.
The C/C++ precision engine
C and C++ get more than a generic taint pass. A compile_commands.json
compile-database loader scopes analysis to real translation units (excluding
files that are not part of the actual build), and a guard-aware dataflow
analysis models conditional guards to reduce false positives. This is the most
precise dataflow front-end in the scanner.
Honest notes
- Rust. The Rust SAST front-end (
rust.rs) and a substantial Rust taint engine (taint_rs, including workspace-level tracking) both exist and are wired into the scanner — Rust is not unsupported at the engine level. However, the shipped GVL rule catalogue for Rust is minimal (only a handful of rules today), so in practice Rust produces far fewer SAST findings than the primary languages. Config and GitHub Actions scanning still apply to Rust projects normally, and Rust dependencies are fully covered by SCA (see Cargo below). - Ruby. Has an AST front-end for structural rules but no dedicated taint engine, so dataflow-based rules do not fire on Ruby.
- Kotlin & Swift. Early-stage extractors that mirror the JavaScript extractor shape (call / string / assign). Treat their SAST coverage as preliminary.
- Markdown. Included as a front-end so that embedded content (e.g. system prompts or code snippets in docs) can be inspected structurally; it has no dataflow.
SCA ecosystem matrix
SCA is independent of SAST depth. A project written in a language with thin SAST rules still gets full dependency analysis if its ecosystem has a manifest parser. Vulnerabilities are matched against OSV; licenses and dependency health are evaluated per the policy bundle.
| Ecosystem | Manifests / lockfiles parsed |
|---|---|
| Python | requirements.txt, requirements lockfiles, Pipfile.lock, poetry.lock, pyproject.toml, uv.lock |
| JavaScript / Node | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Rust | Cargo.lock |
| Go | go.mod / go.sum |
| Java | pom.xml (Maven), Gradle lockfiles |
| PHP | composer.lock |
| Ruby | Gemfile.lock |
| .NET | NuGet packages.lock.json |
| C / C++ | Conan lockfiles |
See scan-coverage.md for what SCA does with these (reachability confirmation, license, health) and its scope limits.
Choosing what to expect per language
- Python / JavaScript / TypeScript / Go / Java / C / C++ / PHP — full SAST with taint plus SCA. These are the languages where Gadriel Code delivers its deepest analysis.
- Rust — full SCA and Config/CI-CD coverage; SAST engine present but thin rule coverage today.
- Ruby — structural SAST plus SCA; no dataflow.
- Kotlin / Swift — preliminary SAST; SCA depends on the underlying build ecosystem (Gradle for Kotlin/JVM).
- Markdown — structural inspection only.
Related documentation
- scan-coverage.md — the six scan types and eight pillars.
- execution-layers.md — when each scan runs.
