Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/davide-desio-eleva/kirograph/llms.txt

Use this file to discover all available pages before exploring further.

Traditional software composition analysis (SCA) tools report every CVE that affects any dependency in your lockfile, regardless of whether your application ever calls the vulnerable code. KiroGraph-Sec is different: it traverses the call graph from your application’s entry points to determine whether a vulnerable code path is actually reachable. A dependency that is installed but never called cannot be exploited. This reachability-first approach dramatically reduces noise and lets you focus remediation effort where it actually matters.

Enabling Security Analysis

Add the following to .kirograph/config.json:
{
  "enableSecurity": true,
  "securityDatabases": ["OSV"],
  "securityAutoEnrich": true
}
enableSecurity requires enableArchitecture: true. If architecture analysis is disabled when security is enabled, KiroGraph automatically enables it and logs a warning.

How the Pipeline Works

The security pipeline runs as the final phase of indexing, after code extraction, reference resolution, and architecture analysis are complete.
1

Manifest Discovery

KiroGraph scans the project tree for all supported manifest files, respecting .gitignore and standard skip directories.
2

Dependency Parsing

Package names, version constraints, and dependency scopes are extracted from each manifest. Transitive dependencies are resolved up to 10 levels deep. A lock file is required for precise resolved versions; without one, declared constraints are used.
3

Dependency Graph Integration

Dependencies are linked to code symbols via import and reference edges. Each dependency node connects to the symbols that import it, making cross-package call paths traceable.
4

Vulnerability Enrichment

KiroGraph queries the configured vulnerability databases (OSV) for each dependency. Results are stored as vulnerability nodes linked to affected dependency nodes via has_vulnerability edges.
5

Reachability Analysis

The call graph is traversed via BFS from all detected application entry points. For each vulnerable dependency, KiroGraph determines whether any path from an entry point reaches that dependency’s code.
6

Impact Analysis

Each vulnerability is classified as affected, not_affected, or under_investigation. Impact summaries include affected architectural layers, reaching entry points, and distinct call paths.

Reachability Verdicts

VerdictMeaning
affectedAt least one call path exists from an entry point to the vulnerable dependency.
not_affectedNo path exists from any entry point, and no unresolved imports were encountered during traversal.
under_investigationThe traversal encountered at least one unresolved import. The vulnerability might be reachable through that unknown path.

Supported Ecosystems

EcosystemManifestLock file
npmpackage.jsonpackage-lock.json, pnpm-lock.yaml, yarn.lock
Mavenpom.xml
Gradlebuild.gradle, build.gradle.ktsgradle.lockfile
Gogo.modgo.sum
piprequirements.txt
Python (modern)pyproject.tomlpoetry.lock, pdm.lock, uv.lock
CargoCargo.tomlCargo.lock
NuGet*.csproj, packages.configpackages.lock.json
RubyGemsGemfileGemfile.lock
Composercomposer.jsoncomposer.lock
Swift PMPackage.swiftPackage.resolved
Dart / Flutterpubspec.yamlpubspec.lock
Elixir / Hexmix.exsmix.lock

Graph Model Additions

Security analysis adds two new node kinds and three new edge kinds to the knowledge graph: Nodes:
  • dependency — A third-party package declared in a manifest
  • vulnerability — A CVE record linked to an affected dependency
Edges:
  • has_vulnerability — Links a dependency to a vulnerability
  • depends_on — Links dependencies to their transitive dependencies
  • declared_in — Links a dependency to its declaring manifest file

SAST-Lite

KiroGraph includes structural security flow detection that runs automatically during indexing when enableSecurity: true. It detects SQL injection, dangerous eval/exec, unsafe deserialization, path traversal, and weak cryptography. Each finding is tagged with an OWASP Top 10 (2021) category. These heuristics are structural (call-graph based), not taint-based — findings indicate potential risk but do not confirm exploitability.

AST Pattern Matching

AST pattern matching is opt-in and requires npm install @ast-grep/napi. Without this dependency, enablePatterns: true has no effect. Enable it in config and install the package separately.
When enablePatterns: true and @ast-grep/napi is installed, KiroGraph runs structural AST rules during indexing. Unlike heuristic SAST (which matches symbol names), AST patterns match actual code structure — finding SQL injection inside helper functions, not just controllers named “handler”.
{
  "enablePatterns": true,
  "patternLibraryPath": "./security-rules"
}

Bundled SAST Rules

IDSeverityOWASPDescription
sql-injection-concat-jsCriticalA03SQL query by string concatenation (JS/TS)
sql-injection-template-jsCriticalA03SQL query by template literal (JS/TS)
sql-injection-pyCriticalA03SQL query by string formatting (Python)
dangerous-eval-jsCriticalA03eval() with non-literal argument (JS/TS)
dangerous-exec-pyCriticalA03os.system() / subprocess with shell=True (Python)
path-traversal-readfile-jsHighA01fs.readFile with request param path (JS/TS)
path-traversal-pyHighA01open() with request param path (Python)
prototype-pollution-jsHighA08__proto__ assignment (JS/TS)
weak-crypto-md5-jsMediumA02createHash('md5'/'sha1') (JS/TS)
weak-crypto-pyMediumA02hashlib.md5/sha1() (Python)

Custom YAML Pattern Example

id: sql-injection-concat-ts
language: typescript
severity: critical
message: "Potential SQL injection via string concatenation"
rule:
  pattern: |
    $DB.query($A + $B)
Place custom rule files in the directory specified by patternLibraryPath. They are merged with the bundled rules at index time.

Supply Chain Health

Beyond CVEs, KiroGraph-Sec includes supply chain risk tools:
  • OpenSSF Scorecard scores per dependency
  • Dependency confusion detection — internal packages whose names exist in public registries
  • Typosquatting detection — packages within Levenshtein distance ≤ 2 from popular packages
  • Staleness scores — calculated from major versions behind and months since latest release
  • Abandoned package detection — packages inactive for >365 days
  • New package risk — packages less than 30 days old

Output Formats

CycloneDX SBOM

kirograph sbom --output sbom.json
Produces a CycloneDX 1.5 SBOM with package URLs (pkg:npm/express@4.18.2), dependency relationships, and scope information.

CycloneDX VEX

kirograph vex --output vex.json
Produces a CycloneDX 1.5 VEX document where each vulnerability entry is annotated with KiroGraph’s reachability verdict (affected, not_affected, under_investigation).

SARIF

kirograph security ci-report --format sarif --output results.sarif
Produces a SARIF 2.1.0 report uploadable directly to the GitHub Security tab.

HTML Dashboard

kirograph security export --output security-report.html --open
Generates a self-contained HTML security dashboard with tabs for: Overview, Vulnerabilities, SBOM, VEX, Licenses, Staleness, Attack Surface, Secrets, Flows, and Remediation.

Build docs developers (and LLMs) love