> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Code

> Static analysis for common security issues in source code.

## Overview

Cysmiq performs static analysis to identify vulnerable patterns in source code. Deterministic rules detect security issues across supported languages and frameworks.

## How it works

Code scanning uses pattern-based rules to detect insecure code patterns:

* **Detection**: Rules match vulnerable patterns like unsanitized input, insecure function calls, and dangerous configurations
* **Deduplication**: Findings are normalized to avoid duplicate reports for the same underlying issue
* **Prioritization**: Severity and confidence signals help identify which findings need immediate attention

## Automated triage and validation

Code findings go through different validation paths depending on the rule:

* **Pattern checks**: The pattern is treated as vulnerable immediately. A local context check in the same file looks for mitigating usage. If mitigation is found, the finding can be downgraded.
* **Context checks**: The pattern is treated as vulnerable immediately, then a local context review evaluates how the risky construct is used. If it still looks exploitable or is unclear, deeper analysis is triggered.
* **Data-flow checks**: The finding is first validated to confirm it is truly vulnerable. Then a local analysis reviews nearby usage. If it still looks exploitable or unclear, a deeper analysis builds call-chain context to determine exploitability.

When deeper analysis is inconclusive, Cysmiq can trigger an agent-assisted resolver to expand context and verify the finding. Only unresolved cases are escalated for human review.

## What this detects

Code scanning detects common vulnerabilities in web applications and services, based on language and framework rule packs.

See [Code security rules](/reference/code-security-rules) for the full coverage matrix.

## Analysis view

The **Analysis** tab shows the context used to determine exploitability. It includes individual call or context chains and their status so you can review how the decision was made.

## Language coverage

Code scanning covers multiple languages including:

* JavaScript/TypeScript
* Python
* Java
* Kotlin
* Go
* Elixir
* Ruby
* PHP
* C#/.NET

Framework-specific rule packs are added when Cysmiq detects matching dependencies or project files, such as Rails gems, Android manifests, or Kotlin HTTP client dependencies.

## Related concepts

* [Vulnerabilities](/concepts/vulnerabilities): severity, status, and lifecycle
* [Impacts](/concepts/impacts): business-focused risk categories
