Enterprise-grade dataflow analysis with code-native rules — no paywall, no pattern-matching compromises.
Supported technologies and integrations
Roadmap
More screenshots
- AI agent-ready. Agents operate the rules, the CLI, the output. Scan code, triage findings, fix vulnerabilities, refine rules.
- Cutting-edge dataflow analysis. Inter-procedural taint tracking across endpoints, persistence layers, aliases, and async code.
- Enterprise-grade, finds real trophies. Powerful, precise, and performant at scale. Catches exploitable vulnerabilities.
- Rules that read like code. Write and refine taint rules the same way you write application code — or let your AI agent do it.
- Open source, batteries included. Engine, CLI, GitHub Action, GitLab CI, rules. Apache 2.0 and MIT licensed.
Install via Homebrew (Linux/macOS):
brew install --cask seqra/tap/opentaintInstall script (Windows PowerShell)
irm https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.ps1 | iex
Install script (Linux/macOS)
curl -fsSL https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.sh | bash
Scan your project:
opentaint scan --output results.sarif /path/to/your/spring/projectOr use Docker:
docker run --rm -v $(pwd):/project -v $(pwd):/output \
ghcr.io/seqra/opentaint:latest \
opentaint scan --output /output/results.sarif /projectFor more options, see Installation and Usage.
AI-generated code is scaling codebases fast. Pattern matchers produce too many false positives. Enterprise taint analyzers that work are paywalled. AI agents in a security role give no formal guarantees.
OpenTaint does real inter-procedural taint analysis. IFDS-with-abduction engine. Tracks untrusted data from HTTP inputs to dangerous APIs — across endpoints, persistence layers, object fields, aliased references, async code. Models Spring data flow, the full Boot ecosystem. Java and Kotlin at bytecode level. More languages ahead.
Enterprise-grade. Powerful, precise, performant at scale. Handles large monorepo codebases. Tracks complex multi-hop attack paths — cross-endpoint flows, data through persistence layers, stored injections.
Rules look like code. Humans and AI agents read, write, and tune them — no proprietary DSL. The engine translates rules into full taint configurations: sources, sinks, sanitizers, propagators, taint marks.
Fully open source. CLI, GitHub Action, GitLab CI, rules — all included. Apache 2.0 and MIT licensed.
OpenTaint tracks data from controller parameters through your webb application to dangerous sinks.
SQL Injection via JdbcTemplate
@GetMapping("/users/search")
public List<User> searchUsers(@RequestParam String name) {
String sql = "SELECT * FROM users WHERE name = '" + name + "'";
return jdbcTemplate.query(sql, userRowMapper);
}OpenTaint reports: sql-injection-in-spring-app at GET /users/search — untrusted input flows to SQL query.
XSS in Controller Response
@GetMapping("/greet")
@ResponseBody
public String greet(@RequestParam String name) {
return "<h1>Hello, " + name + "!</h1>";
}OpenTaint reports: xss-in-spring-app at GET /greet — user input returned without HTML escaping.
SSRF via RestTemplate
@GetMapping("/fetch")
public String fetchUrl(@RequestParam String url) {
return restTemplate.getForObject(url, String.class);
}OpenTaint reports: ssrf-in-spring-app at GET /fetch — user-controlled URL passed to HTTP client.
Each finding includes the HTTP endpoint, making it easy to understand your application's attack surface.
| Method | Command |
|---|---|
| Homebrew (Linux/macOS) | brew install --cask seqra/tap/opentaint |
| Install script (Linux/macOS) | curl -fsSL https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.sh | bash |
| Install script (Windows PowerShell) | irm https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.ps1 | iex |
| Install script (Windows CMD) | curl -fsSL https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.cmd -o install.cmd && install.cmd && del install.cmd |
| Docker | See Quick Start or Docker docs |
| Binary | Download from releases |
Release archives come in three variants: opentaint-full (binary + JARs + rules + JRE), opentaint (binary + JARs + rules), and opentaint-cli (binary only). Homebrew and install scripts default to full.
For detailed instructions, see Installation Guide.
opentaint scan --output results.sarif /path/to/project # Scan project
opentaint summary --show-findings results.sarif # View results
opentaint summary --show-findings --verbose-flow --show-code-snippets results.sarif # Full detail| Command | Description |
|---|---|
opentaint scan |
Analyze projects (auto-detects Maven/Gradle) |
opentaint compile |
Build project model separately |
opentaint project |
Create model from precompiled JARs |
opentaint summary |
View SARIF results |
opentaint pull |
Download dependencies |
opentaint update |
Update to latest version |
opentaint prune |
Remove stale downloaded artifacts |
Options: --max-memory 16G, --timeout 5m, --severity error, --config config.yaml
For detailed usage, see Usage Guide.
scan:
timeout: 15m
max_memory: 16G
log:
verbosity: info # info, debug
color: auto # auto, always, neverOr use environment variables: OPENTAINT_SCAN_TIMEOUT=30m, OPENTAINT_SCAN_MAX_MEMORY=16G
For detailed configuration, see Configuration Guide.
- GitHub Actions: seqra/opentaint/github
- GitLab CI: seqra/opentaint/gitlab
| Issue | Solution |
|---|---|
| Build fails | Ensure mvn compile or gradle build works; set JAVA_HOME |
| Out of memory | Use --max-memory 16G |
| Timeout | Use --timeout 20m |
| Re-download deps | opentaint prune --yes && opentaint pull |
| Debug | Use --verbosity debug |
For detailed troubleshooting, see Troubleshooting Guide.
For comprehensive guides on all features, see the full Documentation.
- Issues: GitHub Issues
- Community: Discord
- Email: seqradev@gmail.com
- FAQ: FAQ
The core analysis engine is released under the Apache 2.0 License. The CLI, GitHub Action, GitLab CI template, and rules are released under the MIT License.