Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/seqra/opentaint

The open source taint analysis engine for the AI era
https://github.com/seqra/opentaint

java kotlin sast security security-tools seqra spring static-analysis taint-analysis vulnerabilities vulnerability-detection vulnerability-scanners

Last synced: about 1 month ago
JSON representation

The open source taint analysis engine for the AI era

Awesome Lists containing this project

README 

          


  

    

    

    OpenTaint

  




The open source taint analysis engine for the AI era





  Formal inter-procedural taint analysis — finds what AST-pattern matchers miss, enacts what LLM agents discover as rules, scales where neither can alone.






  GitHub release

  Go Report Card

  License: Apache 2.0

  Go Version

  Discord






  English | 简体中文 | 繁體中文 | 한국어 | Deutsch | Español | Français | Italiano | Dansk | 日本語 | Polski | Русский | Bosanski | العربية | Norsk | Português (Brasil) | ไทย | Türkçe | Українська | বাংলা | Ελληνικά | Tiếng Việt











  

  

  OpenTaint summary output









Supported technologies and integrations




  Java    

  Kotlin    

  Spring    

  

    

    

    GitHub

      

  GitLab




The most thorough taint analysis engine for Spring apps



Roadmap




  Python    

  Go    

  C#    

  JavaScript    

  TypeScript







  More screenshots

  


    

      

      

      OpenTaint scan output

    

  


  


    

      

      

      OpenTaint summary output

    

  


  


    

      

      

      OpenTaint summary output

    

  


  


    

      

      

      OpenTaint summary output

    

  






---



## Why OpenTaint



AI generates production code faster than today's security tooling can keep up with.



LLM security agents find vulnerabilities humans miss, burn tokens on every file, and still can't guarantee they catch everything.



The more AI writes code, the more you need formal methods underneath.



- **Find what AST-pattern matchers miss.** The inter-procedural dataflow engine tracks untrusted data across function boundaries, persistence layers, aliases, and async code.

- **One finding becomes total coverage.** AST-pattern rules let you enact every uncovered vulnerability as a rule with the engine applying it across the entire codebase, deterministically, in minutes of CPU.

- **Open source, batteries included.** Engine, rules, CI integrations — the entire stack ships under Apache 2.0 and MIT. No paid tier to unlock taint tracking, no gates on writing your own rules.



## Quick Start



**Install script (Linux/macOS)**

```

curl -fsSL https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.sh | bash

```



**Install via Homebrew (Linux/macOS):**

```bash

brew install --cask seqra/tap/opentaint

```



**Install script (Windows PowerShell)**

```

irm https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.ps1 | iex

```



**Scan your project:**

```bash

opentaint scan

```



**Or use Docker:**

```bash

docker run --rm -v $(pwd):/project -v $(pwd):/output \

  ghcr.io/seqra/opentaint:latest \

  opentaint scan --output /output/results.sarif /project

```



For more options, see [Installation](docs/README.md#installation) and [Usage](docs/README.md#usage).



---



## Documentation



Full guides — installation, usage, configuration, CI/CD integration: **[Documentation](docs/README.md)**.



## Support



- **Issues:** [GitHub Issues](https://github.com/seqra/opentaint/issues)

- **Community:** [Discord](https://discord.gg/6BXDfbP4p9)

- **Email:** [seqradev@gmail.com](mailto:seqradev@gmail.com)



## License



The [core analysis engine](core/) is released under the [Apache 2.0 License](LICENSE.md). The [CLI](cli/), [GitHub Action](github/), [GitLab CI template](gitlab/), and [rules](rules/) are released under the [MIT License](cli/LICENSE).