Traditional software composition analysis (SCA) tools report every CVE that affects any dependency in your lockfile, regardless of whether your application ever calls the vulnerable code. KiroGraph-Sec is different: it traverses the call graph from your application’s entry points to determine whether a vulnerable code path is actually reachable. A dependency that is installed but never called cannot be exploited. This reachability-first approach dramatically reduces noise and lets you focus remediation effort where it actually matters.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/davide-desio-eleva/kirograph/llms.txt
Use this file to discover all available pages before exploring further.
Enabling Security Analysis
Add the following to.kirograph/config.json:
enableSecurity requires enableArchitecture: true. If architecture analysis is disabled when security is enabled, KiroGraph automatically enables it and logs a warning.
How the Pipeline Works
The security pipeline runs as the final phase of indexing, after code extraction, reference resolution, and architecture analysis are complete.Manifest Discovery
KiroGraph scans the project tree for all supported manifest files, respecting
.gitignore and standard skip directories.Dependency Parsing
Package names, version constraints, and dependency scopes are extracted from each manifest. Transitive dependencies are resolved up to 10 levels deep. A lock file is required for precise resolved versions; without one, declared constraints are used.
Dependency Graph Integration
Dependencies are linked to code symbols via import and reference edges. Each
dependency node connects to the symbols that import it, making cross-package call paths traceable.Vulnerability Enrichment
KiroGraph queries the configured vulnerability databases (OSV) for each dependency. Results are stored as
vulnerability nodes linked to affected dependency nodes via has_vulnerability edges.Reachability Analysis
The call graph is traversed via BFS from all detected application entry points. For each vulnerable dependency, KiroGraph determines whether any path from an entry point reaches that dependency’s code.
Reachability Verdicts
| Verdict | Meaning |
|---|---|
affected | At least one call path exists from an entry point to the vulnerable dependency. |
not_affected | No path exists from any entry point, and no unresolved imports were encountered during traversal. |
under_investigation | The traversal encountered at least one unresolved import. The vulnerability might be reachable through that unknown path. |
Supported Ecosystems
| Ecosystem | Manifest | Lock file |
|---|---|---|
| npm | package.json | package-lock.json, pnpm-lock.yaml, yarn.lock |
| Maven | pom.xml | — |
| Gradle | build.gradle, build.gradle.kts | gradle.lockfile |
| Go | go.mod | go.sum |
| pip | requirements.txt | — |
| Python (modern) | pyproject.toml | poetry.lock, pdm.lock, uv.lock |
| Cargo | Cargo.toml | Cargo.lock |
| NuGet | *.csproj, packages.config | packages.lock.json |
| RubyGems | Gemfile | Gemfile.lock |
| Composer | composer.json | composer.lock |
| Swift PM | Package.swift | Package.resolved |
| Dart / Flutter | pubspec.yaml | pubspec.lock |
| Elixir / Hex | mix.exs | mix.lock |
Graph Model Additions
Security analysis adds two new node kinds and three new edge kinds to the knowledge graph: Nodes:dependency— A third-party package declared in a manifestvulnerability— A CVE record linked to an affected dependency
has_vulnerability— Links a dependency to a vulnerabilitydepends_on— Links dependencies to their transitive dependenciesdeclared_in— Links a dependency to its declaring manifest file
SAST-Lite
KiroGraph includes structural security flow detection that runs automatically during indexing whenenableSecurity: true. It detects SQL injection, dangerous eval/exec, unsafe deserialization, path traversal, and weak cryptography. Each finding is tagged with an OWASP Top 10 (2021) category.
These heuristics are structural (call-graph based), not taint-based — findings indicate potential risk but do not confirm exploitability.
AST Pattern Matching
WhenenablePatterns: true and @ast-grep/napi is installed, KiroGraph runs structural AST rules during indexing. Unlike heuristic SAST (which matches symbol names), AST patterns match actual code structure — finding SQL injection inside helper functions, not just controllers named “handler”.
Bundled SAST Rules
| ID | Severity | OWASP | Description |
|---|---|---|---|
sql-injection-concat-js | Critical | A03 | SQL query by string concatenation (JS/TS) |
sql-injection-template-js | Critical | A03 | SQL query by template literal (JS/TS) |
sql-injection-py | Critical | A03 | SQL query by string formatting (Python) |
dangerous-eval-js | Critical | A03 | eval() with non-literal argument (JS/TS) |
dangerous-exec-py | Critical | A03 | os.system() / subprocess with shell=True (Python) |
path-traversal-readfile-js | High | A01 | fs.readFile with request param path (JS/TS) |
path-traversal-py | High | A01 | open() with request param path (Python) |
prototype-pollution-js | High | A08 | __proto__ assignment (JS/TS) |
weak-crypto-md5-js | Medium | A02 | createHash('md5'/'sha1') (JS/TS) |
weak-crypto-py | Medium | A02 | hashlib.md5/sha1() (Python) |
Custom YAML Pattern Example
patternLibraryPath. They are merged with the bundled rules at index time.
Supply Chain Health
Beyond CVEs, KiroGraph-Sec includes supply chain risk tools:- OpenSSF Scorecard scores per dependency
- Dependency confusion detection — internal packages whose names exist in public registries
- Typosquatting detection — packages within Levenshtein distance ≤ 2 from popular packages
- Staleness scores — calculated from major versions behind and months since latest release
- Abandoned package detection — packages inactive for >365 days
- New package risk — packages less than 30 days old
Output Formats
CycloneDX SBOM
pkg:npm/express@4.18.2), dependency relationships, and scope information.
CycloneDX VEX
affected, not_affected, under_investigation).
