OPEN SOURCE · MIT

SAST without the query language.
Configure it. Don't program it.

Your agents write code. This engine scans it — taint tracking across 5 languages, defined in YAML.
The open-source core behind the Cognium Trust Engine. Zero native deps.

Zero Native deps Node · Browser · Workers

YAML Config-driven Add a framework in minutes

14 CWE families 5 languages · growing

>90% OWASP Benchmark Full results below ↓

What is Semantic SAST?

Traditional SAST tools match patterns — regex against known bad strings. Semantic SAST understands data flow. It tracks how user input moves through your code, across function calls, through collections, past sanitizers, all the way to dangerous sinks. If tainted data reaches a sink unsanitized, it's a real finding — not a guess.

Pattern SAST

grep "eval(" *.js

Matches text. High false positive rate.

Semantic SAST

source → propagation → sink

Tracks data flow. Proves exploitability.

HOW IT WORKS

Five-stage taint analysis.
Configuration-driven, not query-driven.

Define patterns in YAML — not a query language. Add a framework with a config edit, not a compiler pass.

Stage 1: Source Detection

HTTP params, headers, cookies, file uploads. Framework-aware across Spring, Flask, Express, Actix, Rocket.

Stage 2: Interprocedural Taint Tracking

Flows across method boundaries via call graph. Parameters, return values, and field mutations tracked.

Stage 3: Constant Propagation

Detects safe overwrites and unreachable tainted paths.

reduces false positives

Stage 4: Collection Tracking

Per-key Maps, per-index Lists. Handles index shifting — taint doesn't bleed.

Stage 5: Sanitizer Recognition

PreparedStatement, ESAPI.encoder, escapeHtml, custom YAML config patterns.

extensible pattern library

BENCHMARKS

Real benchmarks. Reproducible methodology.

Benchmark	Score	Detail
OWASP Benchmark v1.2 (Java)	>90% ★	0 FN, 0 FP
Juliet Test Suite (Java)	>90%	9 CWE families
SecuriBench Micro (Java)	97.7% TPR / 6.7% FPR	High precision
CWE-Bench-Java (120 real CVEs)	42.5%	51/120 — beats CodeQL 22.5%
OWASP NodeGoat (Node.js)	>90%	Real-world vulnerabilities, 0 FP
Node.js Synthetic	>90% TPR / 94.1% Precision	6 CWE families
OWASP BenchmarkPython	56.7%	Flask/Django frameworks
CWE-Bench-Rust	77.8% TPR / 0% FPR	0 false positives
Bash Synthetic	68.2% TPR / 0% FPR	5 CWE types

CWE-Bench-Java (120 real-world CVEs)

Cognium (static)

42.5%

IRIS + GPT-4

45.8%

CodeQL

22.5%

Internal testing. Methodology available on request. CWE-Bench-Java follows IRIS paper methodology. CodeQL 22.5% from published benchmarks.

COGNIUM + LLM

What happens when you add an LLM? Enable discovery mode to see AI-augmented results →

Rank	Model	Detected	Score
🥇	Claude Opus	94 / 120	78.3%
🥈	Grok Code	90 / 120	75.0%
🥉	DeepSeek V3	86 / 120	71.7%
4	Claude Haiku	80 / 120	66.7%
5	GPT-4o	78 / 120	65.0%
—	Static only (no LLM)	51 / 120	42.5%
—	CodeQL (reference)	27 / 120	22.5%

Note: Claude Opus (78.3%) is the confirmed result.
Other model scores reflect preliminary runs — re-verification in progress.

DISCOVERY MODE

LLM reads source code and locates vulnerable methods from scratch — no prior static signal required. Drives the 78.3% score.

VERIFICATION MODE

Confirms whether a static finding is exploitable. High-precision output.

SEMANTIC EXTRACTION

Extracts design intent to Specifica format — automated gap analysis between spec and implementation.

$ export LLM_ENRICHMENT_MODEL=claude-opus

Swap the model via env var. No vendor lock-in. The static engine runs without any LLM.

LLM enrichment is part of the Cognium Trust Engine →

COVERAGE

5 languages. 14 CWE families. Growing.

Language	Frameworks	Status
Java	Spring MVC, Spring Boot, JAX-RS, Servlet API, Struts, Hibernate, Apache Camel, MINA SSHD, WildFly, Vert.x	Production
JavaScript / TypeScript	Express, Fastify, Node.js core, browser DOM	Production
Python	Flask, Django, FastAPI, Starlette	Beta
Rust	Actix-web, Rocket, Axum, Tokio	Beta
Bash / Shell	POSIX sh, bash scripts	Beta

CWE COVERAGE

CWE-22 Path Traversal

CWE-502 Insecure Deserialization

CWE-78 Command Injection

CWE-501 Trust Boundary Violation

CWE-79 Cross-Site Scripting (XSS)

CWE-601 Open Redirect

CWE-89 SQL Injection

CWE-611 XML External Entity (XXE)

CWE-90 LDAP Injection

CWE-643 XPath Injection

CWE-94 Code Injection

CWE-918 Server-Side Request Forgery

CWE-113 HTTP Response Splitting

CWE-943 Improper Neutralisation

GET STARTED

Install in seconds. No account required.

terminal

$ npm install cognium

added 1 package in 2.1s

$ cognium scan ./src

Scanning 42 files across 3 languages...

├─ Sources detected: 8

├─ Taint paths traced: 23

├─ Sanitizers verified: 5

⚠ 2 findings (CWE-89, CWE-79)

✓ Report: ./cognium-report.json

CI/CD

# .github/workflows/cognium.yml
- uses: cogniumhq/scan@v1
  with:
    path: ./src

Integration guide →

CONTRIBUTE

$ git clone cogniumhq/cognium
$ npm test

Contributing guide →

OPEN SOURCE

Open source. Read every line.

No telemetry. No phone-home. No usage limits. Fork it, extend it, deploy it.

github.com/cogniumhq/cognium

Open source static analysis engine

View on GitHub →

# Add a new source pattern in YAML
sources:
  - framework: my-framework
    type: http-param
    methods:
      - class: MyController
        method: getInput
        param: 0
        taint: FULL

Add a framework in minutes — just a YAML edit.

SAST without the query language. Configure it. Don't program it.