Security Tools¶

Security tools detect vulnerabilities using taint analysis—tracking how untrusted data flows through your code to dangerous operations.

Tools in This Category¶

Tool	Description	Tier
`security_scan`	Taint-based vulnerability detection	Community
`unified_sink_detect`	Polyglot sink detection	Community
`cross_file_security_scan`	Cross-module taint tracking	Pro
`scan_dependencies`	Check for CVEs in dependencies	Community
`type_evaporation_scan`	TypeScript type safety	Pro

security_scan¶

Detect vulnerabilities using taint analysis in a single file.

What It Does¶

security_scan tracks data flow from untrusted sources to dangerous sinks:

Taint sources: Function parameters, user input, file reads
Taint sinks: SQL queries, shell commands, file writes, HTML output
Vulnerability types: SQL injection, XSS, command injection, path traversal
Confidence scores: How certain the detection is

When AI Agents Use This¶

Reviewing code for security issues
Checking code before deployment
Finding vulnerabilities during code review
Validating fixes for reported issues

Quick Reference¶

Property	Value
Tier	Community
Languages	Python, JavaScript, TypeScript, Java
Token Cost	~100-400 tokens

Parameters¶

Parameter	Type	Required	Description
`file_path`	string	✓*	Path to file to scan
`code`	string	✓*	Code string to scan
`confidence_threshold`	float		Min confidence (0.0-1.0, default: 0.7)

*Provide either file_path or code, not both.

Example Usage¶

Scan FileScan Code

Prompt:

"Check auth.py for security vulnerabilities"

Tool Call:

{
  "tool": "security_scan",
  "parameters": {
    "file_path": "src/auth.py"
  }
}

Prompt:

"Is this code vulnerable?"

Tool Call:

{
  "tool": "security_scan",
  "parameters": {
    "code": "def get_user(id):\n    query = f'SELECT * FROM users WHERE id = {id}'\n    return db.execute(query)"
  }
}

Response Format¶

{
  "data": {
    "vulnerabilities": [
      {
        "type": "SQL_INJECTION",
        "severity": "HIGH",
        "confidence": 0.95,
        "line": 3,
        "column": 12,
        "code": "query = f'SELECT * FROM users WHERE id = {id}'",
        "message": "User input 'id' flows into SQL query without sanitization",
        "cwe": "CWE-89",
        "remediation": "Use parameterized queries: cursor.execute('SELECT * FROM users WHERE id = ?', (id,))"
      }
    ],
    "summary": {
      "total": 1,
      "high": 1,
      "medium": 0,
      "low": 0
    },
    "taint_sources": [
      {"variable": "id", "line": 1, "type": "function_parameter"}
    ],
    "taint_sinks": [
      {"function": "db.execute", "line": 4, "sink_type": "sql_execution"}
    ]
  },
  "tier_applied": "community",
  "duration_ms": 78
}

Vulnerability Types Detected¶

Type	CWE	Description
`SQL_INJECTION`	CWE-89	Unsanitized data in SQL queries
`XSS`	CWE-79	Unsanitized data in HTML output
`COMMAND_INJECTION`	CWE-78	Unsanitized data in shell commands
`PATH_TRAVERSAL`	CWE-22	Unsanitized paths in file operations
`NOSQL_INJECTION`	CWE-943	Unsanitized data in NoSQL queries
`LDAP_INJECTION`	CWE-90	Unsanitized data in LDAP queries
`SSRF`	CWE-918	Server-side request forgery
`XXE`	CWE-611	XML external entity injection

Tier Differences¶

Feature	Community	Pro	Enterprise
Single-file taint analysis	✅	✅	✅
All vulnerability types	✅	✅	✅
CWE mapping	✅	✅	✅
Remediation suggestions	✅	✅	✅
Custom sinks	—	✅	✅
Compliance mapping	—	—	✅

Full deep dive

unified_sink_detect¶

Detect dangerous sinks across multiple languages with confidence scoring.

What It Does¶

unified_sink_detect identifies dangerous operations in any supported language:

Polyglot: Works with Python, JavaScript, TypeScript, Java
Confidence scoring: How certain each detection is
Sink categories: SQL, shell, file, network, crypto, deserialization
No false positives: Conservative detection

When AI Agents Use This¶

Scanning mixed-language projects
Finding all dangerous operations in code
Security auditing unfamiliar codebases
Identifying areas needing security review

Quick Reference¶

Property	Value
Tier	Community
Languages	Python, JavaScript, TypeScript, Java
Token Cost	~50-200 tokens

Parameters¶

Parameter	Type	Required	Description
`code`	string	✓	Code to scan
`language`	string	✓	"python", "javascript", "typescript", "java"
`confidence_threshold`	float		Min confidence (default: 0.7)

Example Usage¶

Prompt:

"Find dangerous operations in this JavaScript"

Tool Call:

{
  "tool": "unified_sink_detect",
  "parameters": {
    "code": "const result = eval(userInput);",
    "language": "javascript"
  }
}

Response Format¶

{
  "data": {
    "sinks": [
      {
        "function": "eval",
        "line": 1,
        "column": 16,
        "category": "code_execution",
        "confidence": 0.95,
        "danger_level": "CRITICAL",
        "description": "eval() executes arbitrary code"
      }
    ],
    "total_sinks": 1,
    "by_category": {
      "code_execution": 1
    }
  },
  "tier_applied": "community",
  "duration_ms": 25
}

Full deep dive

cross_file_security_scan¶

Track taint flow across module boundaries.

What It Does¶

cross_file_security_scan finds vulnerabilities that span multiple files:

Cross-module tracking: Follows data through imports
Call chain analysis: Traces function calls across files
Full flow visualization: Shows complete taint path
Mermaid diagrams: Visual representation of flows

When AI Agents Use This¶

Finding vulnerabilities in large codebases
Understanding how user input flows through the app
Security auditing with full context
Identifying indirect vulnerabilities

Quick Reference¶

Property	Value
Tier	Pro
Languages	Python, JavaScript, TypeScript
Token Cost	~200-1000 tokens

Parameters¶

Parameter	Type	Description
`project_root`	string	Project root directory
`entry_points`	array	Starting functions (optional)
`max_depth`	int	Max call depth (default: 5)
`include_diagram`	bool	Include Mermaid diagram (default: true)
`timeout_seconds`	int	Max analysis time (default: 120)

Example Usage¶

Prompt:

"Find cross-file vulnerabilities in this project"

Tool Call:

{
  "tool": "cross_file_security_scan",
  "parameters": {
    "project_root": "/path/to/project",
    "entry_points": ["routes.py:handle_request"]
  }
}

Response Format¶

{
  "data": {
    "vulnerabilities": [
      {
        "type": "SQL_INJECTION",
        "severity": "HIGH",
        "confidence": 0.92,
        "source_file": "routes.py",
        "source_line": 15,
        "sink_file": "database.py",
        "sink_line": 42,
        "flow": [
          {"file": "routes.py", "line": 15, "variable": "user_id"},
          {"file": "services.py", "line": 28, "variable": "id"},
          {"file": "database.py", "line": 42, "variable": "query"}
        ],
        "message": "User input from routes.py flows to SQL execution in database.py"
      }
    ],
    "diagram": "graph LR\n  A[routes.py:15] -->|user_id| B[services.py:28]\n  B -->|id| C[database.py:42]",
    "files_analyzed": 12,
    "total_flows_traced": 45
  },
  "tier_applied": "pro",
  "duration_ms": 2340
}

Tier Differences¶

Feature	Community	Pro	Enterprise
Available	—	✅	✅
Max modules	—	500	Unlimited
Max depth	—	5	Unlimited
Mermaid diagrams	—	✅	✅
Custom entry points	—	✅	✅
Compliance reporting	—	—	✅

Full deep dive

scan_dependencies¶

Check project dependencies for known vulnerabilities.

What It Does¶

scan_dependencies queries the OSV (Open Source Vulnerabilities) database:

CVE lookup: Checks all dependencies against OSV
Severity ratings: CVSS scores and severity levels
Fix suggestions: Which version to upgrade to
Dev dependencies: Optionally include dev dependencies

When AI Agents Use This¶

Checking project security posture
Finding vulnerable dependencies
Planning upgrade paths
Security audits

Quick Reference¶

Property	Value
Tier	Community
Languages	Python (requirements.txt, pyproject.toml)
Token Cost	~100-300 tokens

Parameters¶

Parameter	Type	Description
`path`	string	Path to requirements file
`project_root`	string	Project root to auto-detect
`include_dev`	bool	Include dev dependencies (default: true)
`scan_vulnerabilities`	bool	Query OSV database (default: true)

Example Usage¶

Prompt:

"Check if my dependencies have any known vulnerabilities"

Tool Call:

{
  "tool": "scan_dependencies",
  "parameters": {
    "project_root": "/path/to/project"
  }
}

Response Format¶

{
  "data": {
    "vulnerabilities": [
      {
        "package": "requests",
        "installed_version": "2.25.0",
        "vulnerability_id": "CVE-2023-32681",
        "severity": "MEDIUM",
        "cvss_score": 6.1,
        "description": "Unintended leak of Proxy-Authorization header",
        "fixed_version": "2.31.0",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681"
      }
    ],
    "total_packages": 45,
    "vulnerable_packages": 1,
    "summary": {
      "critical": 0,
      "high": 0,
      "medium": 1,
      "low": 0
    }
  },
  "tier_applied": "community",
  "duration_ms": 1250
}

Full deep dive

type_evaporation_scan¶

Detect TypeScript type safety issues at API boundaries.

What It Does¶

type_evaporation_scan finds places where TypeScript types "evaporate":

API boundaries: Where TS types meet JS runtime
JSON parsing: JSON.parse() returns any
External data: User input, API responses
Type assertions: Dangerous as casts

When AI Agents Use This¶

Reviewing TypeScript code for type safety
Finding runtime type issues
Improving type coverage
Security auditing TS applications

Quick Reference¶

Property	Value
Tier	Pro
Languages	TypeScript
Token Cost	~100-300 tokens

Parameters¶

Parameter	Type	Required	Description
`frontend_code`	string	✓	TypeScript frontend code
`backend_code`	string	✓	Python backend code
`frontend_file`	string		Frontend filename hint
`backend_file`	string		Backend filename hint

Example Usage¶

Prompt:

"Check for type safety issues between frontend and backend"

Tool Call:

{
  "tool": "type_evaporation_scan",
  "parameters": {
    "frontend_code": "const user = await fetch('/api/user').then(r => r.json())\nuser.name.toUpperCase()",
    "backend_code": "def get_user():\n    return {'name': None}"
  }
}

Response Format¶

{
  "data": {
    "evaporation_points": [
      {
        "location": "frontend.ts:1",
        "type": "json_parse",
        "description": "r.json() returns 'any', losing type safety",
        "risk": "HIGH",
        "recommendation": "Add type assertion or use zod/io-ts validation"
      }
    ],
    "type_mismatches": [
      {
        "frontend_type": "string",
        "backend_type": "Optional[str]",
        "field": "name",
        "risk": "Backend can return None, frontend assumes string"
      }
    ]
  },
  "tier_applied": "pro",
  "duration_ms": 156
}

Full deep dive

Security Workflow¶

Recommended Scanning Flow¶

1. scan_dependencies()
   → Check for vulnerable packages first

2. security_scan() on individual files
   → Find single-file vulnerabilities

3. cross_file_security_scan()
   → Find vulnerabilities spanning files

4. type_evaporation_scan() (if TypeScript)
   → Find type safety issues

Analysis Tools - Understand code before scanning
Extraction Tools - Extract vulnerable code for fixing
Symbolic Tools - Verify fixes don't break behavior

Security Tools¶

Tools in This Category¶

security_scan¶

What It Does¶

When AI Agents Use This¶

Quick Reference¶

Parameters¶

Example Usage¶

Response Format¶

Vulnerability Types Detected¶

Tier Differences¶

unified_sink_detect¶

What It Does¶

When AI Agents Use This¶

Quick Reference¶

Parameters¶

Example Usage¶

Response Format¶

cross_file_security_scan¶

What It Does¶

When AI Agents Use This¶

Quick Reference¶

Parameters¶

Example Usage¶

Response Format¶

Tier Differences¶

scan_dependencies¶

What It Does¶

When AI Agents Use This¶

Quick Reference¶

Parameters¶

Example Usage¶

Response Format¶

type_evaporation_scan¶

What It Does¶

When AI Agents Use This¶

Quick Reference¶

Parameters¶

Example Usage¶

Response Format¶

Security Workflow¶

Recommended Scanning Flow¶

Related Categories¶