Stats
Actions
Tags
From vuln-scout
Analyzes code using Joern's Code Property Graphs (CPG) for data flow tracking, taint analysis, CPGQL queries, and semantic vulnerability detection across JS, TS, Python, Java, C/C++, Go, PHP.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-scout:cpg-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
A Code Property Graph (CPG) is a unified data structure that combines three representations of code:
A Code Property Graph (CPG) is a unified data structure that combines three representations of code:
This combination enables powerful semantic queries that pattern-matching tools cannot achieve.
| Approach | Use When | Example |
|---|---|---|
| Pattern Matching (Semgrep) | Known vulnerability patterns, syntax-level issues | Finding dynamic code execution calls |
| CPG Analysis (Joern) | Data flow tracking, cross-function analysis | Proving request input reaches database query through 5 functions |
Rule of thumb: Use CPG when you need to prove data flows between points, especially across function boundaries.
Joern is the primary tool for CPG analysis. It:
# 1. Parse codebase into CPG
joern-parse /path/to/code --output cpg.bin
# 2. Start Joern REPL or run scripts
joern --script analysis.sc --params cpgFile=cpg.bin
# 3. Or use Joern REPL interactively
joern
> importCpg("cpg.bin")
> cpg.method.name(".*login.*").l
CPGQL uses Scala syntax with CPG-specific operations.
Nodes: Represent code elements
cpg.method - All methods/functionscpg.call - All function callscpg.parameter - Function parameterscpg.literal - Literal valuescpg.identifier - Variable referencesTraversals: Navigate the graph
.name("pattern") - Filter by name (regex).code("pattern") - Filter by code content.argument - Get call arguments.caller - Get calling methods.callee - Get called methodsData Flow: Track how data moves
.reachableBy(source) - Find if source reaches this point.reachableByFlows(source) - Get full pathsFind all calls to a function:
cpg.call.name("query").l
Find parameters that reach dangerous sinks:
val sources = cpg.parameter.name("req.*|request.*")
val sinks = cpg.call.name("query|execute|run")
sinks.argument.reachableBy(sources).l
Get full data flow paths:
val sources = cpg.parameter.name("userInput")
val sinks = cpg.call.name("executeQuery")
sinks.argument.reachableByFlows(sources).p
After CPG verification:
| Verification Result | Confidence | Meaning |
|---|---|---|
| Data flow confirmed | HIGH (0.9+) | CPG proves exploitability |
| Partial flow found | MEDIUM (0.6-0.9) | Some path exists, manual review needed |
| No flow found | LOW (0.3-0.6) | May be false positive or complex flow |
| Verification failed | UNKNOWN | Query error, manual analysis required |
references/cpgql-patterns.md - Common vulnerability query patternsreferences/joern-cheatsheet.md - Quick Joern/CPGQL referencenpx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentestBuilds and queries multi-language code graphs for security audits with pre-analysis for blast radius, taint propagation, privilege boundaries, and entry points. Supports 16 languages including Rust, Go, Python, TypeScript.
Runs CodeQL static analysis for security vulnerability detection, taint tracking, and data flow analysis. Use to analyze code, create databases, write QL queries, perform audits, or set up CI/CD pipelines.
Scans codebases for security vulnerabilities using CodeQL's interprocedural data flow and taint tracking. Supports full and high-precision scan modes, data extension models, and SARIF output.