How It Works Benchmarks Coverage Get Started GitHub ↗
Open Source · MIT Licensed

Semantic taint tracking
across your entire codebase.

Cognium builds data flow graphs and tracks tainted input across functions, files, and frameworks. Full inter-procedural analysis, not regex pattern matching.

View on GitHub → Skip to benchmarks
100% OWASP Score
0% False Positives
6 Languages
19 CWE Types
How It Works

Traces data from source to sink.

Traditional SAST matches text patterns — grep "eval(" across your codebase. Cognium builds data flow graphs and tracks tainted input across function calls, collections, and conditionals.

If user input reaches a dangerous function without sanitization, that's a real finding — not a guess. Configure sources, sinks, and sanitizers in YAML. No query language to learn.

AuthController.java — taint trace
12 String id = req.getParameter ("id"); source
taint: FULL
18 String q = "SELECT * WHERE id=" + id ; tracked
25 stmt. execute ( q ); sink
!
CWE-89: SQL Injection Critical · line 25
Analysis Pipeline

Five-stage deterministic analysis.

Each scan builds a complete data flow graph from sources to sinks.

🎯
Source
HTTP params, headers, cookies, file uploads
🔗
Taint Track
Cross-function, return values, field mutations
📊
Propagation
Per-key Maps, per-index Lists, constant folding
🛡️
Sanitizer
PreparedStatement, escapeHtml, custom YAML
⚠️
Sink
SQL exec, OS commands, file writes, redirects
Benchmarks

Numbers you can reproduce.

Every score below is from the open-source static engine. No LLM. Fully deterministic.

OWASP Benchmark v1.2
100%
TPR 100% · FPR 0% · 1,415 cases
Juliet Test Suite
156/156
Perfect score · 9 CWE families
SecuriBench Micro
97.7%
TPR 97.7% · FPR 6.7%
CWE-Bench-Java — 120 Real-World CVEs
Cognium (static)
42.5%
CodeQL
22.5%
CWE-Bench-Java uses real CVEs from 120 open-source projects — the industry's hardest SAST benchmark. Methodology follows the IRIS paper (arXiv:2405.17238).
What If You Add AI?

Static analysis: 42.5%
+ LLM enhancement: 78.3%

The open-source engine runs deterministically without any LLM. Optionally enable LLM-based discovery to increase detection rate from 42.5% to 78.3% on CWE-Bench.

Enable LLM Discovery Mode
See what happens when static analysis meets Claude Opus
Cognium + Claude Opus 78.3%
94 / 120 real-world CVEs detected — up from 51 with static only
78.3%
Cognium + Opus
42.5%
Static Only
22.5%
CodeQL

Discovery Mode

LLM reads source code and locates vulnerable methods from scratch — no prior static signal required. Drives the 78.3% score.

Verification Mode

Confirms whether a static finding is actually exploitable. High-precision output for triage.

Semantic Extraction

Extracts design intent to Specifica format — automated gap analysis between spec and implementation.

$ export LLM_ENRICHMENT_MODEL=claude-opus

Plug in Claude, GPT-4, Gemini, DeepSeek, or any LLM you prefer — swap it with a single env var. No vendor lock-in. The static engine always runs independently. Contact us to discuss custom integrations and enterprise deployment.

Get in touch
Claude Opus (78.3%) is a confirmed, reproducible result. Bring your preferred LLM — additional model benchmarks in progress. Request access →
Coverage

6 languages. 19 CWE types.

Includes framework definitions for Spring, Express, Flask, Actix, and more. Sources, sinks, and sanitizers are pre-configured in YAML.

Java
Spring, JAX-RS, Servlet, Struts, Hibernate
Prod
📜
JavaScript
Express, Fastify, Node.js
Prod
🔷
TypeScript
Express, Fastify, Node.js
Prod
🐍
Python
Flask, Django, FastAPI
Beta
🦀
Rust
Actix-web, Rocket, Axum
Beta
🐚
Bash
POSIX sh, bash scripts
Beta
89 SQL Injection 78 Command Injection 79 XSS 22 Path Traversal 918 SSRF 502 Deserialization 611 XXE 94 Code Injection 90 LDAP Injection 643 XPath Injection 943 NoSQL Injection 601 Open Redirect 117 Log Injection 501 Trust Boundary 113 Response Splitting 20 Taint Escape 330 Weak Random 327 Weak Crypto 614 Insecure Cookie
Get Started

npm install. No registration.

terminal
$ npm install -g cognium added 1 package in 2.1s $ cognium scan ./src src/controllers/AuthController.java   [!!!] sql_injection (Critical) [CWE-89]       Line 45: tainted data flows from line 12 to line 45       → Fix: Use PreparedStatement with parameterized queries Found 1 vulnerability(ies) in 1 file(s)

GitHub Actions

# .github/workflows/security.yml
- run: npm install -g cognium
- run: cognium scan ./src
    --format sarif -o results.sarif
    --severity high
Integration guide →

Pre-commit Hook

#!/bin/sh
# .git/hooks/pre-commit

if ! cognium scan . --severity critical -q; then
  echo "Blocked: critical vulns found"
  exit 1
fi
Full documentation →
Join the Effort

Open source security tooling.

Cognium is MIT licensed and built in the open. Contribute framework configs, bug reports, integrations, or custom rules to improve detection for the entire community.

🔌

Add Framework Support

Request or contribute YAML configs for your framework — Rails, Gin, Axum, NestJS, or anything else. Each new framework config extends coverage for everyone.

Request a framework →
🛠️

Build Editor Integrations

Bring Cognium into VS Code, Neovim, JetBrains, Zed — or any editor with LSP or extension support. SARIF output makes this straightforward.

Discuss integrations →
🔗

Plugin Into Your CI/CD

Build plugins for GitHub Actions, GitLab CI, Jenkins, Bitbucket Pipelines, or your custom verification pipeline. SARIF is the interchange format.

Integration docs →
✍️

Write, Review, Report

Write a blog post about your findings. Create a pull request. File a bug. Every contribution helps the engine improve and the community grow.

Contribute on GitHub →

Help us make AI-generated code trustworthy.

Cognium is MIT licensed and built in the open. Whether you're a security researcher, a framework maintainer, or a developer who cares about code quality — there's a place for you here.

Star & Contribute 💬 Join Discussions Discord
Copied to clipboard!