This skill should be used when the user asks about "Code Property Graph", "CPG analysis", "Joern queries", "CPGQL", "data flow verification", "taint tracking with Joern", "semantic code analysis", or needs to understand how CPG-based verification works for vulnerability detection.
From vuln-scoutnpx claudepluginhub allsmog/vuln-scout --plugin vuln-scoutThis skill uses the workspace's default tool permissions.
references/cpgql-patterns.mdreferences/false-positive-patterns.mdreferences/joern-cheatsheet.mdreferences/joern-setup.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
A Code Property Graph (CPG) is a unified data structure that combines three representations of code:
This combination enables powerful semantic queries that pattern-matching tools cannot achieve.
| Approach | Use When | Example |
|---|---|---|
| Pattern Matching (Semgrep) | Known vulnerability patterns, syntax-level issues | Finding dynamic code execution calls |
| CPG Analysis (Joern) | Data flow tracking, cross-function analysis | Proving request input reaches database query through 5 functions |
Rule of thumb: Use CPG when you need to prove data flows between points, especially across function boundaries.
Joern is the primary tool for CPG analysis. It:
# 1. Parse codebase into CPG
joern-parse /path/to/code --output cpg.bin
# 2. Start Joern REPL or run scripts
joern --script analysis.sc --params cpgFile=cpg.bin
# 3. Or use Joern REPL interactively
joern
> importCpg("cpg.bin")
> cpg.method.name(".*login.*").l
CPGQL uses Scala syntax with CPG-specific operations.
Nodes: Represent code elements
cpg.method - All methods/functionscpg.call - All function callscpg.parameter - Function parameterscpg.literal - Literal valuescpg.identifier - Variable referencesTraversals: Navigate the graph
.name("pattern") - Filter by name (regex).code("pattern") - Filter by code content.argument - Get call arguments.caller - Get calling methods.callee - Get called methodsData Flow: Track how data moves
.reachableBy(source) - Find if source reaches this point.reachableByFlows(source) - Get full pathsFind all calls to a function:
cpg.call.name("query").l
Find parameters that reach dangerous sinks:
val sources = cpg.parameter.name("req.*|request.*")
val sinks = cpg.call.name("query|execute|run")
sinks.argument.reachableBy(sources).l
Get full data flow paths:
val sources = cpg.parameter.name("userInput")
val sinks = cpg.call.name("executeQuery")
sinks.argument.reachableByFlows(sources).p
After CPG verification:
| Verification Result | Confidence | Meaning |
|---|---|---|
| Data flow confirmed | HIGH (0.9+) | CPG proves exploitability |
| Partial flow found | MEDIUM (0.6-0.9) | Some path exists, manual review needed |
| No flow found | LOW (0.3-0.6) | May be false positive or complex flow |
| Verification failed | UNKNOWN | Query error, manual analysis required |
references/cpgql-patterns.md - Common vulnerability query patternsreferences/joern-cheatsheet.md - Quick Joern/CPGQL reference