Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/davide-desio-eleva/kirograph/llms.txt

Use this file to discover all available pages before exploring further.

KiroGraph’s security tools turn the code knowledge graph into a reachability-aware vulnerability scanner. Rather than reporting every CVE that appears in your package.json, they trace actual call paths from HTTP routes and exported entry points to vulnerable dependencies — surfacing only the vulnerabilities your code can actually reach. All tools in this group require enableSecurity: true and enableArchitecture: true in your config. Pattern-based SAST tools additionally require enablePatterns: true.
Security analysis is run during indexing (kirograph index). If you enable enableSecurity on an existing project, run kirograph index once to populate the security graph before calling any of these tools.

Vulnerability Tools

kirograph_security

Security posture overview: total dependencies indexed, vulnerability counts, reachability verdict breakdown, suppressed CVE count, and stale data warnings. Use this as the starting point before drilling into specific vulnerabilities.
projectPath
string
default:"cwd"
Project root path.
{
  "tool": "kirograph_security",
  "arguments": {}
}

kirograph_vulns

List vulnerabilities with reachability verdicts, severity scores, EPSS scores, and fix suggestions. Results are ranked by risk score (severity × reachability). Suppressed CVEs are excluded by default.
severity
string
Filter by severity band. Options: critical (CVSS ≥ 9.0), high (7.0–8.9), medium (4.0–6.9), low (0.1–3.9).
verdict
string
Filter by reachability verdict. Options: affected, not_affected, under_investigation.
limit
number
default:"20"
Maximum results to return.
refresh
boolean
default:"false"
Trigger fresh enrichment from configured vulnerability databases (e.g. OSV) before listing. Set to true when vulnerability data may be stale.
projectPath
string
default:"cwd"
Project root path.
Example response:
CVE-2023-44270 (7.5 HIGH) — postcss
  Verdict: affected
  Paths: 2 entry points reach this dependency
  Layers: api, service
  💡 Fix: npm install postcss@8.4.31

kirograph_reachability

Deep reachability analysis for a specific CVE or dependency. Returns the verdict, the shortest call path from each entry point that reaches the vulnerable code, unresolved symbols (if any), and an impact summary with affected layers and distinct path count.
target
string
required
CVE identifier (e.g. "CVE-2024-1234") or package name (e.g. "lodash").
projectPath
string
default:"cwd"
Project root path.
Example response:
CVE-2024-1234 — lodash@4.17.20
  Verdict: affected
  Reaching entry points: 3
  Paths:
    POST /api/users → UserService.create → validateInput → lodash
    GET /api/users → UserService.list → formatResponse → lodash
    POST /api/auth → AuthController.login → sanitize → lodash
  Affected layers: api, service
  Distinct paths: 5

kirograph_vuln_add

Manually register a CVE against an indexed dependency. Creates a Vulnerability_Node linked to the matching Dependency_Node. Useful for private or internal advisories not available in public databases.
cveId
string
required
CVE identifier (e.g. "CVE-2024-9999").
package
string
required
Package name — must match an existing indexed dependency exactly.
severity
number
CVSS v3.1 base score (0.0–10.0).
summary
string
Human-readable description (truncated to 500 characters).
fixedVersion
string
Version that fixes the vulnerability.
projectPath
string
default:"cwd"
Project root path.

kirograph_vuln_suppress

Suppress a CVE from all vulnerability reports. Suppressed CVEs are excluded from kirograph_vulns, kirograph_security, and SBOM/VEX exports. Suppressions can optionally expire on a set date.
cveId
string
required
CVE identifier to suppress (e.g. "CVE-2024-1234").
reason
string
Reason for suppression (recommended for audit trail).
expires
string
Expiry date in ISO format (e.g. "2026-12-31"). After this date the suppression is automatically removed.
projectPath
string
default:"cwd"
Project root path.

kirograph_remediation

SLA tracking per CVE. Thresholds: critical = 7 days, high = 30 days, medium = 90 days. Returns days open, days with fix available, and SLA status for each vulnerability.
overdueOnly
boolean
default:"false"
Return only CVEs that have breached their SLA threshold.
projectPath
string
default:"cwd"
Project root path.

Dependency and Supply Chain Tools

kirograph_staleness

Check dependency freshness against the latest published versions. Identifies packages that are significantly behind, sorted by staleness score. Supports npm, PyPI, crates.io, RubyGems, and Packagist registries.
threshold
number
default:"0.3"
Minimum staleness score (0.0–1.0) to include in results.
refresh
boolean
default:"false"
Re-query registries for the latest version data before listing.
projectPath
string
default:"cwd"
Project root path.

kirograph_licenses

List dependency licenses and check them against the configured securityLicensePolicy. Returns each package’s license and flags policy violations (deny/warn).
policy
boolean
default:"false"
When true, return only packages that violate the configured deny or warn policy.
projectPath
string
default:"cwd"
Project root path.

kirograph_supply_chain

Supply chain health assessment: OpenSSF Scorecard scores, maintainer counts, abandoned package detection (>365 days inactive), and new package risk (<30 days old). Uses external APIs — results are cached to avoid repeated requests.
threshold
string
Minimum risk level to include. Options: low, medium, high, critical.
refresh
boolean
default:"false"
Re-query external sources before returning results.
projectPath
string
default:"cwd"
Project root path.

kirograph_dep_confusion

Detect dependency confusion attack vectors: internal packages whose names exist in public registries. Also detects typosquatting candidates using Levenshtein distance ≤ 2 from popular package names.
projectPath
string
default:"cwd"
Project root path.

Attack Surface and Flow Analysis

kirograph_attack_surface

Map all HTTP routes to reachable vulnerable dependencies. Each result shows the route name, exposure level (public/authenticated/internal), hop count from route to vulnerable dependency, and an overall risk score.
limit
number
default:"20"
Maximum routes to return.
publicOnly
boolean
default:"false"
Return only public-facing (unauthenticated) routes.
projectPath
string
default:"cwd"
Project root path.

kirograph_security_flows

SAST-lite: detect insecure data flows in your code. Identifies SQL injection, dangerous eval/exec, unsafe deserialization, path traversal, and weak cryptographic usage. Each finding is tagged with an OWASP Top 10 (2021) category.
type
string
default:"all"
Filter by flow type. Options: sql, eval, deserialize, path, crypto, all.
projectPath
string
default:"cwd"
Project root path.

kirograph_secrets

Scan for hardcoded secrets — 14 secret types including AWS keys, GitHub tokens, database URLs, JWTs, private keys, and more. Each detected secret is enriched with a call-graph blast radius showing which HTTP entry points can reach it.
includeTests
boolean
default:"false"
Include test files in the scan.
severity
string
Filter by severity. Options: critical, high, medium, low.
projectPath
string
default:"cwd"
Project root path.

Export Tools

kirograph_sbom

Generate a CycloneDX 1.5 SBOM JSON document containing all project dependencies as components with purl identifiers, scope classification, and dependency relationships. Suitable for submission to software composition analysis pipelines.
projectPath
string
default:"cwd"
Project root path.

kirograph_vex

Generate a CycloneDX 1.5 VEX (Vulnerability Exploitability eXchange) JSON document. Maps graph reachability verdicts to CycloneDX VEX states: affected"affected", not_affected"not_affected" (justification: "code_not_reachable"), under_investigation"under_investigation".
projectPath
string
default:"cwd"
Project root path.
Pair kirograph_sbom and kirograph_vex to produce a complete CycloneDX 1.5 BOM+VEX bundle for compliance submissions or CI artifact uploads.

Pattern-Based SAST (require enablePatterns: true)

Pattern tools use @ast-grep/napi for structural AST matching. They only appear in the MCP tool list when both enablePatterns: true and the @ast-grep/napi package is installed. When either condition is false, the tools are not registered.

kirograph_pattern_coverage

OWASP Top 10 coverage report: which OWASP categories are covered by active rules and how many matches were found per category.
projectPath
string
default:"cwd"
Project root path.

kirograph_pattern_save_baseline

Save the current pattern match counts as a named baseline. Use before a sprint or release to track new findings introduced by changes.
label
string
default:"default"
Baseline label.
projectPath
string
default:"cwd"
Project root path.

kirograph_pattern_diff

Diff current pattern matches against a saved baseline. Returns newly introduced findings and resolved findings since the baseline was captured.
label
string
default:"default"
Baseline label to diff against.
projectPath
string
default:"cwd"
Project root path.
{
  "tool": "kirograph_pattern_diff",
  "arguments": { "label": "sprint-42-start" }
}

Build docs developers (and LLMs) love