01
Source detection
HTTP parameters, headers, cookies, file uploads, environment variables, CLI args, and framework-specific request objects.
Open-source semantic SAST engine
Find real vulnerabilities in AI-written code.
Cognium traces tainted data across functions, files, collections, framework calls, and sanitizers. It is deterministic, reproducible, and built for codebases that change fast.
100%OWASP score
0%false positives
6languages
19CWE types
12
String id = req.getParameter("id");source: HTTP parameter
18
String q = "SELECT * WHERE id=" + id;taint: full propagation
25
stmt.execute(q);sink: SQL execution
CWE-89 SQL Injection
Critical - line 25
Analysis model
Built around data flow, not pattern matching.
Traditional scanners match dangerous text. Cognium builds a flow graph, follows values through the program, and only reports when tainted input reaches a sensitive sink without a sanitizer.
02
Inter-procedural tracking
Flows are followed across function calls, return values, object fields, map keys, array indexes, conditionals, and common framework abstractions.
03
Sanitizer aware
Prepared statements, HTML escaping, URL validation, framework encoders, and custom YAML definitions reduce noise without hiding risk.
Reproducible proof
Benchmarks you can run yourself.
The open-source engine runs without an LLM. Optional model-assisted discovery can be layered on top for deeper research workflows, while the static engine remains deterministic.
OWASP Benchmark v1.2100%
Juliet Test Suite156/156
SecuriBench Micro97.7%
CWE-Bench-Java42.5%
Cognium + Claude Opus 78.3% 94 / 120 CVEs Cognium static only 42.5% 51 / 120 CVEs CodeQL 22.5% 27 / 120 CVEs LLM discovery mode reads source code from scratch. Verification mode confirms exploitability. Static mode remains independent and deterministic.
Coverage
Framework-aware rules across the stack.
Cognium ships with source, sink, and sanitizer definitions for popular server frameworks, plus YAML configuration for teams adding their own architecture patterns.
JavaSpring, Servlet, Struts
JavaScriptExpress, Fastify, Node
TypeScriptExpress, Fastify, Node
PythonFlask, Django, FastAPI
RustActix, Rocket, Axum
BashPOSIX sh, bash scripts
CWE classes
The high-risk paths AI agents keep getting wrong.
SQL injection, command injection, XSS, path traversal, SSRF, deserialization, XXE, LDAP injection, NoSQL injection, response splitting, weak randomness, weak crypto, and more.
CWE-89
SQLi
SQLi
CWE-78
Command
Command
CWE-79
XSS
XSS
CWE-22
Paths
Paths
CWE-918
SSRF
SSRF
CWE-502
Deserialize
Deserialize
Get started
Install once. Scan anywhere.
Use Cognium locally, in pre-commit hooks, or inside CI. SARIF output plugs into GitHub code scanning and existing review workflows.
$ npm install -g cognium
$ cognium scan ./src --format sarif -o results.sarif
src/controllers/AuthController.java
[critical] sql_injection CWE-89
tainted data flows from line 12 to line 45
fix: use PreparedStatement with parameters
Found 1 vulnerability in 1 file.
Developer community
One place for docs, discussions, and contribution paths.
Use Dev Central to find the right implementation guide, then bring design questions, framework requests, and benchmark notes into the community forums.
DC
Dev Central
Start from install paths, CI examples, framework configuration, benchmark reproduction, and contribution checklists.
Open Dev CentralFM
Forums
Route support questions, rule ideas, integrations, and research discussions to the right open community channel.
Open ForumsHelp make AI-generated code trustworthy.
Contribute framework definitions, benchmark cases, editor integrations, CI examples, and research notes. The engine is MIT licensed and built in the open.