KiroGraph’s security tools turn the code knowledge graph into a reachability-aware vulnerability scanner. Rather than reporting every CVE that appears in yourDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/davide-desio-eleva/kirograph/llms.txt
Use this file to discover all available pages before exploring further.
package.json, they trace actual call paths from HTTP routes and exported entry points to vulnerable dependencies — surfacing only the vulnerabilities your code can actually reach. All tools in this group require enableSecurity: true and enableArchitecture: true in your config. Pattern-based SAST tools additionally require enablePatterns: true.
Security analysis is run during indexing (
kirograph index). If you enable
enableSecurity on an existing project, run kirograph index once to
populate the security graph before calling any of these tools.Vulnerability Tools
kirograph_security
Security posture overview: total dependencies indexed, vulnerability counts, reachability verdict breakdown, suppressed CVE count, and stale data warnings. Use this as the starting point before drilling into specific vulnerabilities.
Project root path.
kirograph_vulns
List vulnerabilities with reachability verdicts, severity scores, EPSS scores, and fix suggestions. Results are ranked by risk score (severity × reachability). Suppressed CVEs are excluded by default.
Filter by severity band. Options:
critical (CVSS ≥ 9.0), high (7.0–8.9), medium (4.0–6.9), low (0.1–3.9).Filter by reachability verdict. Options:
affected, not_affected, under_investigation.Maximum results to return.
Trigger fresh enrichment from configured vulnerability databases (e.g. OSV) before listing. Set to
true when vulnerability data may be stale.Project root path.
kirograph_reachability
Deep reachability analysis for a specific CVE or dependency. Returns the verdict, the shortest call path from each entry point that reaches the vulnerable code, unresolved symbols (if any), and an impact summary with affected layers and distinct path count.
CVE identifier (e.g.
"CVE-2024-1234") or package name (e.g. "lodash").Project root path.
kirograph_vuln_add
Manually register a CVE against an indexed dependency. Creates a Vulnerability_Node linked to the matching Dependency_Node. Useful for private or internal advisories not available in public databases.
CVE identifier (e.g.
"CVE-2024-9999").Package name — must match an existing indexed dependency exactly.
CVSS v3.1 base score (0.0–10.0).
Human-readable description (truncated to 500 characters).
Version that fixes the vulnerability.
Project root path.
kirograph_vuln_suppress
Suppress a CVE from all vulnerability reports. Suppressed CVEs are excluded from kirograph_vulns, kirograph_security, and SBOM/VEX exports. Suppressions can optionally expire on a set date.
CVE identifier to suppress (e.g.
"CVE-2024-1234").Reason for suppression (recommended for audit trail).
Expiry date in ISO format (e.g.
"2026-12-31"). After this date the suppression is automatically removed.Project root path.
kirograph_remediation
SLA tracking per CVE. Thresholds: critical = 7 days, high = 30 days, medium = 90 days. Returns days open, days with fix available, and SLA status for each vulnerability.
Return only CVEs that have breached their SLA threshold.
Project root path.
Dependency and Supply Chain Tools
kirograph_staleness
Check dependency freshness against the latest published versions. Identifies packages that are significantly behind, sorted by staleness score. Supports npm, PyPI, crates.io, RubyGems, and Packagist registries.
Minimum staleness score (0.0–1.0) to include in results.
Re-query registries for the latest version data before listing.
Project root path.
kirograph_licenses
List dependency licenses and check them against the configured securityLicensePolicy. Returns each package’s license and flags policy violations (deny/warn).
When
true, return only packages that violate the configured deny or warn policy.Project root path.
kirograph_supply_chain
Supply chain health assessment: OpenSSF Scorecard scores, maintainer counts, abandoned package detection (>365 days inactive), and new package risk (<30 days old). Uses external APIs — results are cached to avoid repeated requests.
Minimum risk level to include. Options:
low, medium, high, critical.Re-query external sources before returning results.
Project root path.
kirograph_dep_confusion
Detect dependency confusion attack vectors: internal packages whose names exist in public registries. Also detects typosquatting candidates using Levenshtein distance ≤ 2 from popular package names.
Project root path.
Attack Surface and Flow Analysis
kirograph_attack_surface
Map all HTTP routes to reachable vulnerable dependencies. Each result shows the route name, exposure level (public/authenticated/internal), hop count from route to vulnerable dependency, and an overall risk score.
Maximum routes to return.
Return only public-facing (unauthenticated) routes.
Project root path.
kirograph_security_flows
SAST-lite: detect insecure data flows in your code. Identifies SQL injection, dangerous eval/exec, unsafe deserialization, path traversal, and weak cryptographic usage. Each finding is tagged with an OWASP Top 10 (2021) category.
Filter by flow type. Options:
sql, eval, deserialize, path, crypto, all.Project root path.
kirograph_secrets
Scan for hardcoded secrets — 14 secret types including AWS keys, GitHub tokens, database URLs, JWTs, private keys, and more. Each detected secret is enriched with a call-graph blast radius showing which HTTP entry points can reach it.
Include test files in the scan.
Filter by severity. Options:
critical, high, medium, low.Project root path.
Export Tools
kirograph_sbom
Generate a CycloneDX 1.5 SBOM JSON document containing all project dependencies as components with purl identifiers, scope classification, and dependency relationships. Suitable for submission to software composition analysis pipelines.
Project root path.
kirograph_vex
Generate a CycloneDX 1.5 VEX (Vulnerability Exploitability eXchange) JSON document. Maps graph reachability verdicts to CycloneDX VEX states: affected → "affected", not_affected → "not_affected" (justification: "code_not_reachable"), under_investigation → "under_investigation".
Project root path.
Pattern-Based SAST (require enablePatterns: true)
Pattern tools use @ast-grep/napi for structural AST matching. They only appear in the MCP tool list when both enablePatterns: true and the @ast-grep/napi package is installed. When either condition is false, the tools are not registered.
kirograph_pattern_coverage
OWASP Top 10 coverage report: which OWASP categories are covered by active rules and how many matches were found per category.
Project root path.
kirograph_pattern_save_baseline
Save the current pattern match counts as a named baseline. Use before a sprint or release to track new findings introduced by changes.
Baseline label.
Project root path.
kirograph_pattern_diff
Diff current pattern matches against a saved baseline. Returns newly introduced findings and resolved findings since the baseline was captured.
Baseline label to diff against.
Project root path.
