Static Application Security Testing

Deep Code Scanning
that understands context.

Traditional SAST tools match patterns. codelake understands how your code executes.

Powered by the Semgrep engine with codelake's custom rule library, our deep code scanner traces data flows across functions, files, and services — catching vulnerabilities that pattern-matching tools miss entirely.

Start scanning free Try FreeScan first

codelake scan --sast .

$ codelake scan --sast .

▸ Deep code analysis running...

Parsing 1,247 source files

Building abstract syntax trees...

Tracing data flows across 38 modules...

Applying 2,400+ detection rules...

CRITICAL SQL Injection — user input to query

↳ src/api/users.ts:47 → db/queries.ts:12

CRITICAL XSS — unsanitized output in template

↳ views/profile.blade.php:83

HIGH Command Injection via exec()

↳ lib/deploy.py:24 — user-controlled arg

MEDIUM Insecure random for token generation

↳ auth/tokens.js:15 — use crypto.randomBytes

✓ 31 findings · 4 critical · 11 high · 12 medium · 4 low

█

How It Works

From source code to actionable findings in minutes.

codelake's SAST engine goes through four phases to provide the deepest analysis possible — all without ever executing your code.

account_tree

Step 1

AST Parsing

Every source file is parsed into an Abstract Syntax Tree. We understand your code's structure, not just its text.

conversion_path

Step 2

Data Flow Analysis

Taint tracking follows user input from entry points through transformations, across function calls, all the way to dangerous sinks.

rule

Step 3

Rule Matching

2,400+ detection rules run against the enriched AST — from OWASP Top 10 patterns to framework-specific anti-patterns and custom rules.

hub

Step 4

Context Correlation

Findings are enriched with application context: what data is at risk, which users are affected, and how findings chain together.

What We Detect

Hundreds of vulnerability patterns across every category.

From injection attacks to insecure cryptography, codelake covers the full OWASP Top 10 and far beyond.

database

SQL Injection

Detects unsanitized user input flowing into SQL queries — including ORM bypasses, raw queries, and parameterization failures.

code

Cross-Site Scripting (XSS)

Stored, reflected, and DOM-based XSS. Tracks user input through template engines, React props, and dynamic HTML generation.

terminal

Command Injection

User-controlled data in exec(), system(), eval(), and shell commands. Covers all OS command execution sinks.

folder_open

Path Traversal

Detects file path manipulation that could allow attackers to read or write arbitrary files on the server.

enhanced_encryption

Insecure Cryptography

Weak algorithms (MD5, SHA1 for passwords), hardcoded IVs, ECB mode, insufficient key lengths, and broken random number generators.

lock_open

Authentication Flaws

Missing auth middleware, broken session management, insecure password storage, and JWT misconfigurations.

shield

Authorization Bypass

IDOR vulnerabilities, missing ownership checks, privilege escalation paths, and broken access control patterns.

data_object

Insecure Deserialization

Unsafe deserialization of user-controlled data in Java, PHP, Python, and Node.js — a common RCE vector.

public

SSRF & Open Redirects

Server-side request forgery and open redirect vulnerabilities where user input controls URLs or network destinations.

Custom Rules

Your codebase, your rules.

Every team has internal coding standards, deprecated APIs, and domain-specific security requirements. codelake lets you write custom detection rules using the familiar Semgrep syntax.

check_circle

Semgrep-compatible syntax

Write rules in YAML using patterns you already know. Import from the Semgrep registry or write from scratch.
check_circle

Framework-aware templates

Pre-built rule templates for Laravel, Django, Express, Spring Boot, Rails, and more — customizable to your conventions.
check_circle

Team-shared rule library

Share custom rules across your organization. Version them alongside your code in your repository.
check_circle

Rule testing & validation

Test your rules against sample code before deploying. See matches and false positive rates before going live.

custom-rule.yml

rules:

- id: no-raw-sql-queries

patterns:

- pattern: DB::raw($INPUT)

- pattern-not: DB::raw("...")

message: |

Raw SQL with variable input detected.

Use parameterized queries instead.

severity: ERROR

languages: [php]

metadata:

category: injection

cwe: CWE-89

Language Support

Your stack. Fully covered.

codelake supports all major programming languages and frameworks with deep, framework-aware analysis — not just surface-level pattern matching.

JavaScript

React, Vue, Node.js

TypeScript

Angular, Next.js, Nest

Python

Django, Flask, FastAPI

PHP

Laravel, Symfony

Gin, Echo, Fiber

Java

Spring Boot, Jakarta

Ruby

Rails, Sinatra

C# / .NET

ASP.NET, Blazor

Example Findings

See exactly what codelake catches.

Every finding includes the exact code location, a clear explanation, the data flow path, and a remediation recommendation.

Critical

SQL Injection via unsanitized query parameter

// src/controllers/UserController.ts:47

const users = await db.query(

`SELECT * FROM users WHERE name = '${req.query.name}'`

);

Data Flow

req.query.name → template literal → db.query()

CWE

CWE-89: SQL Injection

Fix

Use parameterized queries: db.query("SELECT * FROM users WHERE name = ?", [name])

High

Insecure password hashing with MD5

# auth/register.py:31

import hashlib

password_hash = hashlib.md5(password.encode()).hexdigest()

Risk

MD5 is cryptographically broken. Hashes can be reversed in seconds.

CWE

CWE-327: Use of Broken Crypto Algorithm

Fix

Use bcrypt or argon2: bcrypt.hashpw(password, bcrypt.gensalt())

Find vulnerabilities before attackers do.

Start scanning your codebase in under 2 minutes. No credit card required. Free tier includes unlimited public repositories.

Start free — scan your code now View pricing

Deep Code Scanning that understands context.