MIT licensed Semantic SAST for teams adopting AI-generated code.
Community

Ask, reproduce, and contribute in the open.

One hub for cognium.dev: discussion routes, install and CI paths, benchmark reproduction, and every link you need to contribute back.

Project

Everything you need to trust the tool.

License, releases, packages, and contribution channels — one strip, so you can vet the project in seconds.

License MIT Releases 30 published npm cognium-dev Stars GitHub ↗ Contributing coming soon Security policy coming soon
Discussion routes

Use the channel that matches the work.

Keeping questions routed correctly makes the project easier to search and gives maintainers enough context to respond usefully.

Q

Questions and support

Use discussions for installation help, scan interpretation, SARIF setup, and configuration questions.

R

Rule and framework requests

Describe the framework, source objects, sinks, sanitizers, and small fixtures that should be covered.

B

Benchmark notes

Share reproduction results, false positive examples, false negatives, and methodology questions.

Reproduce & extend

Pick the workflow you are trying to prove.

Each path maps to a concrete developer outcome: a local scan, a CI signal, a reproduced benchmark, or a contribution that expands coverage.

01

Run it locally

Install the CLI, scan a small service, and confirm findings before wiring anything into shared automation.

  • npm install -g cognium-dev
  • cognium-dev scan ./src
  • Review source-to-sink traces
02

Gate pull requests

Emit SARIF in CI, publish findings into code scanning, and start with high-severity policies before broad rollout.

  • GitHub Actions examples
  • SARIF output
  • Severity thresholds
03

Extend coverage

Add framework sources, sinks, and sanitizers in YAML so Cognium understands your stack and reduces review noise.

  • Framework definitions
  • Custom sanitizers
  • Regression cases
Verification

Reproduce the claims before adopting the tool.

Cognium should be evaluated the way developers evaluate infrastructure: install it, inspect it, run it against known cases, and compare the evidence.

developer checklistreproducible
1. Install the CLI from npm
2. Scan a known vulnerable fixture
3. Review the taint trace and SARIF output
4. Compare against OWASP, Juliet, and SecuriBench
5. Open issues or discussions for gaps
Before posting: include the Cognium version, language or framework, the command you ran, expected behavior, actual behavior, and a small code sample when possible.
For security reports: avoid posting private exploit details in a public thread. Open a minimal issue or contact the maintainers through the project repository first.

Need a path that is not documented yet?

Bring it to Discussions so maintainers and contributors can route it to docs, an issue, or a framework rule proposal.