Overview
Cysmiq performs static analysis to identify vulnerable patterns in source code. Deterministic rules detect security issues across supported languages and frameworks.How it works
Code scanning uses pattern-based rules to detect insecure code patterns:- Detection: Rules match vulnerable patterns like unsanitized input, insecure function calls, and dangerous configurations
- Deduplication: Findings are normalized to avoid duplicate reports for the same underlying issue
- Prioritization: Severity and confidence signals help identify which findings need immediate attention
Automated triage and validation
Code findings go through different validation paths depending on the rule:- Pattern checks: The pattern is treated as vulnerable immediately. A local context check in the same file looks for mitigating usage. If mitigation is found, the finding can be downgraded.
- Context checks: The pattern is treated as vulnerable immediately, then a local context review evaluates how the risky construct is used. If it still looks exploitable or is unclear, deeper analysis is triggered.
- Data-flow checks: The finding is first validated to confirm it is truly vulnerable. Then a local analysis reviews nearby usage. If it still looks exploitable or unclear, a deeper analysis builds call-chain context to determine exploitability.
What this detects
Code scanning detects common vulnerabilities in web applications and services, based on language and framework rule packs. See Code security rules for the full coverage matrix.Analysis view
The Analysis tab shows the context used to determine exploitability. It includes individual call or context chains and their status so you can review how the decision was made.Language coverage
Code scanning covers multiple languages including:- JavaScript/TypeScript
- Python
- Java
- Go
- PHP
- C#/.NET
Related concepts
- Vulnerabilities: severity, status, and lifecycle
- Impacts: business-focused risk categories