@kevinrabun/judges 3.20.14 → 3.21.0

package/CHANGELOG.md

@@ -2,6 +2,41 @@
 
 All notable changes to **@kevinrabun/judges** are documented here.
 
+## [3.21.0] — 2026-03-05
+
+### Added — P0: GitHub Action CI/CD
+- **PR inline review comments** — New `pr-review` input in `action.yml` posts findings as inline PR review comments with severity badges, auto-fix hints, and judge attribution
+- **Diff-only mode** — New `diff-only` input restricts analysis to changed files using `git diff`, dramatically reducing CI noise on large repos
+- **Baseline filtering** — New `baseline-file` input suppresses known findings via a baseline JSON, surfacing only new issues in PRs
+- **Improved step summary** — GitHub Actions summary now includes findings table, score badge, and must-fix gate status
+
+### Added — P1: Core Engine Enhancements
+- **AST context in more evaluators** — `AnalyzeContext` interface pipes tree-sitter AST data into cybersecurity (scope-aware taint), performance (async/complexity detection), and authentication (decorator/import awareness) evaluators
+- **`fix_code` MCP tool** — New tool evaluates code and auto-applies all available patches, returning fixed code + summary of remaining findings
+- **Multi-language framework evaluators** — Extended `framework-safety.ts` from JS/TS-only to 8 frameworks: Django (6 rules), Flask (4), FastAPI (1), Spring Boot (6), ASP.NET Core (6), Go/Gin/Echo/Fiber (5)
+
+### Added — P2: Depth & Tooling
+- **20+ new auto-fix patches** — Added patches for Python (7), Go (2), Java (5), C# (4), Rust (2) covering SQL injection, command injection, weak hashing, empty catch, and more
+- **VS Code findings panel** — TreeView-based panel with sort-by-severity/judge, filter controls, go-to-line navigation, and 7 new commands (`judges.showFindingsPanel`, `judges.sortBySeverity`, etc.)
+- **Cross-file type/state tracking** — Three new project-level detectors: `detectSharedMutableState()`, `detectTypeSafetyGaps()`, `detectScatteredEnvAccess()` in `project.ts`
+- **Taint tracker language depth** — Expanded from 5 to 9 language-specific pattern sets with `LanguagePatternSet` interface; each set defines sources, sinks, sanitizers, assign patterns, and guard conditions
+
+### Added — P3: Breadth & Polish
+- **PHP/Ruby/Kotlin/Swift language support** — Added 4 new languages to `LangFamily`, expanded all ~35 pattern constants in `language-patterns.ts`, added 4 complete taint tracker pattern sets (PHP: 7 sources/11 sinks/11 sanitizers, Ruby: 9/11/10, Kotlin: 9/8/8, Swift: 8/9/6)
+- **Performance & snapshot tests** — 3 new test suites: performance budgets (tribunal <5s, per-judge <500ms, evaluateDiff <3s, large-block <15s), rule coverage stability (≥30 judges, 100-600 findings, required families, severity distribution), multi-language pattern coverage (8 tests for PHP/Ruby/Kotlin/Swift)
+- **Framework version awareness** — `detectFrameworkVersions()` extracts versions from 14 manifest/config patterns; `getVersionConfidenceAdjustment()` applies version-specific confidence rules for Django 4+, Spring 3+, Next.js 13+/14+, Express 5+, Rails 6+/7+, Laravel 9+, ASP.NET 8+; integrated into `applyFrameworkAwareness()`
+- **MCP workspace & streaming tools** — 3 new MCP tools: `list_files` (recursive directory listing with skip-dirs), `read_file` (content reading with line-range slicing), `evaluate_with_progress` (progressive judge-by-judge reporting with count updates)
+
+### Changed
+- **MCP tool count** — 10 → 13 tools registered in `server.json`
+- **`applyFrameworkAwareness()` rewritten** — Now combines framework mitigation with version-aware confidence adjustments and stacked provenance notes
+- **`register.ts` modular architecture** — Now orchestrates 4 registration modules: evaluation, workflow, fix, workspace
+
+### Tests
+- 19 new performance/snapshot/multi-language tests in `judges.test.ts`
+- 19 new framework version awareness tests in `subsystems.test.ts`
+- 1006 tests in judges.test.ts, 392 tests in subsystems.test.ts — all passing
+
 ## [3.20.14] — 2026-03-04
 
 ### Added

package/dist/ast/taint-tracker.d.ts

@@ -29,7 +29,9 @@ export type TaintSinkKind = "code-execution" | "command-exec" | "sql-query" | "x
  * dangerous sinks through variable assignments and string concatenation.
  *
  * For JS/TS, uses the TypeScript compiler AST for precise variable tracking.
- * For other languages, falls back to regex-based lightweight analysis.
+ * For Python, Java, Go, C#, and Rust: uses language-specific source/sink/
+ * sanitizer patterns for deeper analysis.
+ * For other languages, falls back to generic regex-based analysis.
  */
 export declare function analyzeTaintFlows(code: string, language: string): TaintFlow[];
 //# sourceMappingURL=taint-tracker.d.ts.map

package/dist/ast/taint-tracker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"taint-tracker.d.ts","sourceRoot":"","sources":["../../src/ast/taint-tracker.ts"],"names":[],"mappings":"AAmBA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,0CAA0C;IAC1C,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,eAAe,CAAC;KACvB,CAAC;IACF,kDAAkD;IAClD,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,qDAAqD;IACrD,aAAa,EAAE,KAAK,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,WAAW,GACX,eAAe,CAAC;AAEpB,MAAM,MAAM,aAAa,GACrB,gBAAgB,GAChB,cAAc,GACd,WAAW,GACX,KAAK,GACL,gBAAgB,GAChB,UAAU,GACV,UAAU,GACV,iBAAiB,CAAC;AAoPtB;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,CAU7E"}
+{"version":3,"file":"taint-tracker.d.ts","sourceRoot":"","sources":["../../src/ast/taint-tracker.ts"],"names":[],"mappings":"AAmBA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,0CAA0C;IAC1C,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,eAAe,CAAC;KACvB,CAAC;IACF,kDAAkD;IAClD,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,qDAAqD;IACrD,aAAa,EAAE,KAAK,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;IACH,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,WAAW,GACX,eAAe,CAAC;AAEpB,MAAM,MAAM,aAAa,GACrB,gBAAgB,GAChB,cAAc,GACd,WAAW,GACX,KAAK,GACL,gBAAgB,GAChB,UAAU,GACV,UAAU,GACV,iBAAiB,CAAC;AAguBtB;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,CAY7E"}

package/dist/ast/taint-tracker.js

@@ -208,13 +208,480 @@ function getFnName(node) {
     }
     return undefined;
 }
+const PYTHON_PATTERNS = {
+    sources: [
+        {
+            pattern: /\brequest\.(?:form|args|json|data|values|files|cookies|headers)\b(?:\[|\.get\s*\()/i,
+            kind: "http-param",
+        },
+        { pattern: /\brequest\.GET\b(?:\[|\.get\s*\()/i, kind: "http-param" },
+        { pattern: /\brequest\.POST\b(?:\[|\.get\s*\()/i, kind: "http-param" },
+        { pattern: /\brequest\.(?:query_params|query_string)\b/i, kind: "http-param" },
+        { pattern: /\bflask\.request\.\w+/i, kind: "http-param" },
+        { pattern: /\binput\s*\(/i, kind: "user-input" },
+        { pattern: /\bsys\.stdin\b/i, kind: "user-input" },
+        { pattern: /\bos\.environ\b(?:\[|\.get\s*\()/i, kind: "environment" },
+        { pattern: /\burlparse\s*\(|parse_qs\s*\(/i, kind: "url-param" },
+        { pattern: /\bopen\s*\(.*\)\.read/i, kind: "external-data" },
+        { pattern: /\brequests\.(?:get|post|put|delete)\s*\(/i, kind: "external-data" },
+        { pattern: /\bjson\.loads?\s*\(/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bexec\s*\(/i, kind: "code-execution" },
+        { pattern: /\beval\s*\(/i, kind: "code-execution" },
+        { pattern: /\bcompile\s*\(.*\).*\bexec\b/i, kind: "code-execution" },
+        { pattern: /\bos\.system\s*\(/i, kind: "command-exec" },
+        { pattern: /\bos\.popen\s*\(/i, kind: "command-exec" },
+        {
+            pattern: /\bsubprocess\.(?:Popen|run|call|check_output|check_call|getoutput|getstatusoutput)\s*\(/i,
+            kind: "command-exec",
+        },
+        { pattern: /\bcursor\.execute\s*\(/i, kind: "sql-query" },
+        { pattern: /\b(?:connection|conn|db)\.execute\s*\(/i, kind: "sql-query" },
+        { pattern: /\braw\s*\(\s*["'`]?\s*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\.(?:extra|raw)\s*\(/i, kind: "sql-query" },
+        { pattern: /\brender_template_string\s*\(/i, kind: "template" },
+        { pattern: /\bTemplate\s*\(.*\)\.render\s*\(/i, kind: "template" },
+        { pattern: /\bJinja2\.\w*\.from_string\s*\(/i, kind: "template" },
+        { pattern: /\bmarkup\s*\(.*\+/i, kind: "xss" },
+        { pattern: /\bopen\s*\(.*user|path|file|name/i, kind: "path-traversal" },
+        { pattern: /\bredirect\s*\(/i, kind: "redirect" },
+        { pattern: /\bpickle\.loads?\s*\(/i, kind: "deserialization" },
+        { pattern: /\byaml\.(?:load|unsafe_load)\s*\(/i, kind: "deserialization" },
+        { pattern: /\bmarshal\.loads?\s*\(/i, kind: "deserialization" },
+    ],
+    sanitizers: [
+        /\bbleach\.clean\s*\(/i,
+        /\bmarkup_safe\b/i,
+        /\bescape\s*\(/i,
+        /\bMarkup\b/i,
+        /\bquote\s*\(/i,
+        /\bshlex\.quote\s*\(/i,
+        /\bshellescape\s*\(/i,
+        /\bsanitize\w*\s*\(/i,
+        /\bvalidator\.\w+\s*\(/i,
+        /\bpydantic\b/i,
+        /\b%s\b.*\bexecute\s*\(/i, // parameterized query
+        /\bparamstyle\b/i,
+        /\bsqlalchemy\.text\s*\(/i,
+    ],
+    assignPattern: /^\s*(\w+)\s*(?::\s*\w[\w[\], |]*\s*)?=\s*(.+)/,
+    guards: [
+        /if[ \t]+(?:not[ \t]+)?isinstance\s*\(/i,
+        /if[ \t]+(?:not[ \t]+)?\w+\s*(?:is|==|!=)\s*None/i,
+        /raise[ \t]+(?:ValueError|TypeError|ValidationError)/i,
+        /assert[ \t]+isinstance\s*\(/i,
+        /\.validate\s*\(|\.is_valid\s*\(/i,
+    ],
+};
+const JAVA_PATTERNS = {
+    sources: [
+        { pattern: /\b(?:request|req|httpRequest)\.getParameter\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.getAttribute\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.getHeader\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.getQueryString\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.getInputStream\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.getReader\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.getCookies\s*\(/i, kind: "http-param" },
+        { pattern: /\b@RequestParam\b/i, kind: "http-param" },
+        { pattern: /\b@PathVariable\b/i, kind: "url-param" },
+        { pattern: /\b@RequestBody\b/i, kind: "http-param" },
+        { pattern: /\b@RequestHeader\b/i, kind: "http-param" },
+        { pattern: /\bSystem\.getenv\s*\(/i, kind: "environment" },
+        { pattern: /\bScanner\s*\(\s*System\.in\b/i, kind: "user-input" },
+        { pattern: /\bBufferedReader\b.*\bInputStreamReader\b.*\bSystem\.in\b/i, kind: "user-input" },
+        { pattern: /\bargs\[/i, kind: "user-input" },
+        { pattern: /\bnew\s+ObjectMapper\b.*\.read/i, kind: "external-data" },
+        { pattern: /\bURL\s*\(.*\)\.openStream\s*\(/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bRuntime\.getRuntime\s*\(\)\.exec\s*\(/i, kind: "command-exec" },
+        { pattern: /\bProcessBuilder\b/i, kind: "command-exec" },
+        { pattern: /\bStatement\b.*\.(?:execute|executeQuery|executeUpdate)\s*\(/i, kind: "sql-query" },
+        { pattern: /\.(?:createQuery|createNativeQuery)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bString\.format\s*\(.*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\bScriptEngine\b.*\.eval\s*\(/i, kind: "code-execution" },
+        { pattern: /\bClass\.forName\s*\(/i, kind: "code-execution" },
+        { pattern: /\.newInstance\s*\(/i, kind: "code-execution" },
+        { pattern: /\bXStream\b.*\.fromXML\s*\(/i, kind: "deserialization" },
+        { pattern: /\bObjectInputStream\b.*\.readObject\s*\(/i, kind: "deserialization" },
+        { pattern: /\bnew\s+File\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bFiles\.(?:read|write|copy|move|newInputStream)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bresponse\.sendRedirect\s*\(/i, kind: "redirect" },
+        { pattern: /\.(?:forward|include)\s*\(/i, kind: "redirect" },
+        { pattern: /\bVelocity\b.*\.evaluate\s*\(/i, kind: "template" },
+        { pattern: /\bFreemarkerConfiguration\b/i, kind: "template" },
+    ],
+    sanitizers: [
+        /\bPreparedStatement\b/i,
+        /\bEncoder\.encode\s*\(/i,
+        /\bOWASP\.\w+\.encode\s*\(/i,
+        /\bHtmlUtils\.htmlEscape\s*\(/i,
+        /\bStringEscapeUtils\.escape\w+\s*\(/i,
+        /\bPattern\.matches\s*\(/i,
+        /\b@Valid\b/i,
+        /\b@Validated\b/i,
+        /\bBindingResult\b/i,
+        /\bInputValidator\b/i,
+        /\bwhitelist\s*\(/i,
+        /\bSanitizers\.\w+\s*\(/i,
+    ],
+    assignPattern: /^\s*(?:(?:final|var|String|int|long|double|boolean|byte|short|float|char|Object|List|Map|Set|Integer|Long|Double|Boolean|Optional|HttpServletRequest)\s+)*(\w+)\s*=\s*(.+);/,
+    guards: [
+        /if[ \t]*\([ \t]*\w+[ \t]*==[ \t]*null/i,
+        /\bObjects\.requireNonNull\s*\(/i,
+        /\bOptional\.ofNullable\s*\(/i,
+        /\bif[ \t]*\([ \t]*!?\w+\.(?:isEmpty|isBlank|matches|startsWith)\s*\(/i,
+        /throw[ \t]+new[ \t]+(?:IllegalArgumentException|ValidationException)/i,
+    ],
+};
+const GO_PATTERNS = {
+    sources: [
+        { pattern: /\br\.(?:FormValue|PostFormValue)\s*\(/i, kind: "http-param" },
+        { pattern: /\br\.URL\.Query\s*\(\)/i, kind: "http-param" },
+        { pattern: /\br\.Header\.Get\s*\(/i, kind: "http-param" },
+        { pattern: /\br\.Body\b/i, kind: "http-param" },
+        { pattern: /\bc\.(?:Query|Param|PostForm|FormValue|GetHeader)\s*\(/i, kind: "http-param" },
+        { pattern: /\bc\.(?:BindJSON|ShouldBindJSON|Bind)\s*\(/i, kind: "http-param" },
+        { pattern: /\bos\.Getenv\s*\(/i, kind: "environment" },
+        { pattern: /\bos\.Args\b/i, kind: "user-input" },
+        { pattern: /\bflag\.(?:String|Int|Bool|Arg)\s*\(/i, kind: "user-input" },
+        { pattern: /\bbufio\.NewReader\s*\(\s*os\.Stdin\b/i, kind: "user-input" },
+        { pattern: /\bjson\.(?:Unmarshal|NewDecoder)\s*\(/i, kind: "external-data" },
+        { pattern: /\bhttp\.Get\s*\(/i, kind: "external-data" },
+        { pattern: /\bioutil\.ReadAll\s*\(/i, kind: "external-data" },
+        { pattern: /\bio\.ReadAll\s*\(/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bexec\.Command\s*\(/i, kind: "command-exec" },
+        { pattern: /\bexec\.CommandContext\s*\(/i, kind: "command-exec" },
+        { pattern: /\bos\.(?:StartProcess|Exec)\s*\(/i, kind: "command-exec" },
+        { pattern: /\bdb\.(?:Query|Exec|QueryRow|QueryContext|ExecContext)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bsql\.(?:Open|Query)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bfmt\.Sprintf\s*\(.*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\btemplate\.(?:New|Must)\s*\(.*\.Parse\s*\(/i, kind: "template" },
+        { pattern: /\bhtml\/template\b.*\.Execute\s*\(/i, kind: "template" },
+        { pattern: /\btext\/template\b.*\.Execute\s*\(/i, kind: "template" },
+        { pattern: /\bos\.(?:Open|Create|OpenFile|ReadFile|WriteFile)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bfilepath\.Join\s*\(.*\+/i, kind: "path-traversal" },
+        { pattern: /\bhttp\.Redirect\s*\(/i, kind: "redirect" },
+        { pattern: /\bgob\.NewDecoder\b.*\.Decode\s*\(/i, kind: "deserialization" },
+        { pattern: /\bencoding\/gob\b/i, kind: "deserialization" },
+        { pattern: /\byaml\.Unmarshal\s*\(/i, kind: "deserialization" },
+    ],
+    sanitizers: [
+        /\bhtml\.EscapeString\s*\(/i,
+        /\burl\.QueryEscape\s*\(/i,
+        /\burl\.PathEscape\s*\(/i,
+        /\btemplate\.HTMLEscapeString\s*\(/i,
+        /\bstrconv\.(?:Atoi|ParseInt|ParseFloat|ParseBool)\s*\(/i,
+        /\bregexp\.MustCompile\b.*\.(?:MatchString|FindString)\s*\(/i,
+        /\bfilepath\.Clean\s*\(/i,
+        /\bpath\.Clean\s*\(/i,
+        /\bsqlx?\.\w*Prepared\b/i,
+        /\bValidate\.\w+\s*\(/i,
+    ],
+    assignPattern: /^\s*(?:var\s+)?(\w+)\s*(?::=|=)\s*(.+)/,
+    guards: [
+        /if[ \t]+\w+[ \t]*(?:==|!=)[ \t]*nil/i,
+        /if[ \t]+err[ \t]*!=[ \t]*nil/i,
+        /if[ \t]+!?(?:strings\.Contains|strings\.HasPrefix|regexp)\b/i,
+        /if[ \t]+len\s*\(\w+\)[ \t]*(?:==|!=|<|>|<=|>=)/i,
+    ],
+};
+const CSHARP_PATTERNS = {
+    sources: [
+        { pattern: /\bRequest\.(?:Form|QueryString|Query|Params|Headers|Cookies)\b/i, kind: "http-param" },
+        { pattern: /\bRequest\.(?:Body|InputStream)\b/i, kind: "http-param" },
+        { pattern: /\b\[FromQuery\]/i, kind: "http-param" },
+        { pattern: /\b\[FromBody\]/i, kind: "http-param" },
+        { pattern: /\b\[FromForm\]/i, kind: "http-param" },
+        { pattern: /\b\[FromHeader\]/i, kind: "http-param" },
+        { pattern: /\b\[FromRoute\]/i, kind: "url-param" },
+        { pattern: /\bHttpContext\.Request\b/i, kind: "http-param" },
+        { pattern: /\bEnvironment\.GetEnvironmentVariable\s*\(/i, kind: "environment" },
+        { pattern: /\bConsole\.ReadLine\s*\(/i, kind: "user-input" },
+        { pattern: /\bargs\[/i, kind: "user-input" },
+        { pattern: /\bHttpClient\b.*\.(?:GetAsync|PostAsync|GetStringAsync)\s*\(/i, kind: "external-data" },
+        { pattern: /\bJsonSerializer\.Deserialize\s*\(/i, kind: "external-data" },
+        { pattern: /\bJsonConvert\.DeserializeObject\s*\(/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bProcess\.Start\s*\(/i, kind: "command-exec" },
+        { pattern: /\bProcessStartInfo\b/i, kind: "command-exec" },
+        { pattern: /\bSqlCommand\b.*\.(?:ExecuteReader|ExecuteNonQuery|ExecuteScalar)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bnew\s+SqlCommand\s*\(\s*(?:\$"|".*\+)/i, kind: "sql-query" },
+        { pattern: /\.(?:FromSqlRaw|ExecuteSqlRaw|SqlQuery)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bstring\.Format\s*\(.*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\bCSharpScript\.EvaluateAsync\s*\(/i, kind: "code-execution" },
+        { pattern: /\bAssembly\.Load\s*\(/i, kind: "code-execution" },
+        { pattern: /\bActivator\.CreateInstance\s*\(/i, kind: "code-execution" },
+        { pattern: /\bBinaryFormatter\b.*\.Deserialize\s*\(/i, kind: "deserialization" },
+        { pattern: /\bXmlSerializer\b.*\.Deserialize\s*\(/i, kind: "deserialization" },
+        { pattern: /\bFile\.(?:ReadAllText|ReadAllBytes|ReadAllLines|Open|OpenRead)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bPath\.Combine\s*\(.*\+/i, kind: "path-traversal" },
+        { pattern: /\bResponse\.Redirect\s*\(/i, kind: "redirect" },
+        { pattern: /\bRedirectToAction\s*\(/i, kind: "redirect" },
+        { pattern: /\b@Html\.Raw\s*\(/i, kind: "xss" },
+        { pattern: /\bHtmlHelper\b.*\.Raw\s*\(/i, kind: "xss" },
+    ],
+    sanitizers: [
+        /\bHtmlEncoder\.Default\.Encode\s*\(/i,
+        /\bWebUtility\.HtmlEncode\s*\(/i,
+        /\bUrlEncoder\.Default\.Encode\s*\(/i,
+        /\bAntiXssEncoder\.\w+\s*\(/i,
+        /\b\[ValidateAntiForgeryToken\]/i,
+        /\bModelState\.IsValid\b/i,
+        /\b\[Required\]/i,
+        /\b\[StringLength\b/i,
+        /\b\[RegularExpression\b/i,
+        /\bSqlParameter\b/i,
+        /\bParameterized\b/i,
+        /\bAddWithValue\s*\(/i,
+        /\bInputValidator\b/i,
+    ],
+    assignPattern: /^\s*(?:(?:var|string|int|long|double|bool|float|decimal|object|dynamic|char|byte|List|Dictionary|IEnumerable|Task)\s*(?:<[^>]+>\s*)?)?(\w+)\s*=\s*(.+);/,
+    guards: [
+        /if[ \t]*\([ \t]*\w+[ \t]*(?:==|!=)[ \t]*null/i,
+        /\bif[ \t]*\([ \t]*!?string\.IsNullOrEmpty\s*\(/i,
+        /\bif[ \t]*\([ \t]*!?string\.IsNullOrWhiteSpace\s*\(/i,
+        /\?\?[ \t]+throw\b/i,
+        /\bargument\w*Exception\b/i,
+        /\bModelState\.IsValid\b/i,
+    ],
+};
+const RUST_PATTERNS = {
+    sources: [
+        { pattern: /\b(?:web|actix_web)::(?:Query|Form|Json|Path)\b/i, kind: "http-param" },
+        { pattern: /\breq\.(?:body|param|query|header)\s*\(/i, kind: "http-param" },
+        { pattern: /\baxum::extract::(?:Query|Form|Json|Path)\b/i, kind: "http-param" },
+        { pattern: /\bstd::env::(?:var|args)\b/i, kind: "environment" },
+        { pattern: /\bstd::io::stdin\b/i, kind: "user-input" },
+        { pattern: /\bserde_json::from_str\s*\(/i, kind: "external-data" },
+        { pattern: /\breqwest::(?:get|Client)\b/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bCommand::new\s*\(/i, kind: "command-exec" },
+        { pattern: /\bstd::process::Command\b/i, kind: "command-exec" },
+        { pattern: /\.(?:query|execute|query_as|query_scalar)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bformat!\s*\(.*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\bstd::fs::(?:read_to_string|read|write|File::open)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bFile::open\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bserde_json::from_value\s*\(/i, kind: "deserialization" },
+        { pattern: /\bbincode::deserialize\s*\(/i, kind: "deserialization" },
+        { pattern: /\bRedirect::to\s*\(/i, kind: "redirect" },
+    ],
+    sanitizers: [
+        /\bhtml_escape\s*\(/i,
+        /\bammonia::clean\s*\(/i,
+        /\bencode_safe\s*\(/i,
+        /\bsqlx::query!\s*\(/i,
+        /\b\.bind\s*\(/i,
+        /\.parse::<(?:i32|i64|u32|u64|f64|usize|bool)>/i,
+        /\bvalidate\s*\(\)/i,
+        /\bPath::new\s*\(.*\)\.canonicalize\s*\(/i,
+    ],
+    assignPattern: /^\s*(?:let\s+(?:mut\s+)?)?(\w+)\s*(?::\s*[\w<>&, [\]]+\s*)?=\s*(.+);/,
+    guards: [
+        /\bmatch\s+\w+\s*\{/i,
+        /if[ \t]+let[ \t]+Some\b/i,
+        /\.(?:unwrap_or|unwrap_or_else|unwrap_or_default)\s*\(/i,
+        /\.is_(?:some|none|ok|err)\s*\(\)/i,
+        /\bensure!\s*\(/i,
+        /\banyhow::ensure!\s*\(/i,
+    ],
+};
+const PHP_PATTERNS = {
+    sources: [
+        { pattern: /\$_(?:GET|POST|REQUEST|COOKIE|SERVER|FILES)\[/i, kind: "http-param" },
+        { pattern: /\$request->(?:input|get|post|query|all)\s*\(/i, kind: "http-param" },
+        { pattern: /\$_ENV\[|getenv\s*\(/i, kind: "environment" },
+        { pattern: /\$argv\b|fgets\s*\(\s*STDIN\b/i, kind: "user-input" },
+        { pattern: /file_get_contents\s*\(\s*['"]php:\/\/input/i, kind: "http-param" },
+        { pattern: /json_decode\s*\(\s*file_get_contents/i, kind: "external-data" },
+        { pattern: /\$_SESSION\[/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\b(?:exec|system|passthru|shell_exec|popen|proc_open)\s*\(/i, kind: "command-exec" },
+        { pattern: /\beval\s*\(|preg_replace\b.*\/e/i, kind: "code-execution" },
+        { pattern: /\bmysqli?_query\s*\(/i, kind: "sql-query" },
+        { pattern: /\$(?:pdo|db|conn)->(?:query|exec)\s*\(/i, kind: "sql-query" },
+        { pattern: /->(?:where|whereRaw|selectRaw|orderByRaw)\s*\(/i, kind: "sql-query" },
+        { pattern: /\binclude\s*\(|\brequire\s*\(|include_once\s*\(|require_once\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bfile_(?:get_contents|put_contents)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bfopen\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bheader\s*\(\s*['"]Location:/i, kind: "redirect" },
+        { pattern: /\bunserialize\s*\(/i, kind: "deserialization" },
+        { pattern: /\becho\b|\bprint\b/i, kind: "xss" },
+    ],
+    sanitizers: [
+        /\bhtmlspecialchars\s*\(/i,
+        /\bhtmlentities\s*\(/i,
+        /\bstrip_tags\s*\(/i,
+        /\baddslashes\s*\(/i,
+        /\bmysqli?_real_escape_string\s*\(/i,
+        /\bPDO::quote\s*\(/i,
+        /->(?:prepare|bindParam|bindValue)\s*\(/i,
+        /\bintval\s*\(|\bfloatval\s*\(|\b\(int\)|\b\(float\)/i,
+        /\bfilter_(?:var|input)\s*\(/i,
+        /\bpreg_match\s*\(/i,
+        /\brealpath\s*\(|basename\s*\(/i,
+    ],
+    assignPattern: /^\s*\$(\w+)\s*=\s*(.+);/,
+    guards: [
+        /if[ \t]*\([ \t]*!?(?:isset|empty|is_null|is_numeric|is_string|is_array)\s*\(/i,
+        /if[ \t]*\([ \t]*!?\$\w+\s*(?:===?|!==?)\s*(?:null|false|''|"")\b/i,
+        /\bvalidate\s*\(/i,
+        /\bpreg_match\s*\(/i,
+        /\bfilter_(?:var|input)\s*\(/i,
+    ],
+};
+const RUBY_PATTERNS = {
+    sources: [
+        { pattern: /\bparams\[/i, kind: "http-param" },
+        { pattern: /\bparams\.(?:require|permit|fetch)\s*\(/i, kind: "http-param" },
+        { pattern: /\brequest\.(?:body|env|headers|params)\b/i, kind: "http-param" },
+        { pattern: /\bENV\[|ENV\.fetch\s*\(/i, kind: "environment" },
+        { pattern: /\bARGV\b|\bgets\b|\breadline\b/i, kind: "user-input" },
+        { pattern: /\bJSON\.parse\s*\(/i, kind: "external-data" },
+        { pattern: /\bNet::HTTP\b.*\.(?:get|post)\s*\(/i, kind: "external-data" },
+        { pattern: /\bsession\[/i, kind: "external-data" },
+        { pattern: /\bcookies\[/i, kind: "http-param" },
+    ],
+    sinks: [
+        { pattern: /\bsystem\s*\(|\bexec\s*\(|\b`[^`]*#\{/i, kind: "command-exec" },
+        { pattern: /\b%x\{|Kernel\.system\s*\(/i, kind: "command-exec" },
+        { pattern: /\beval\s*\(|instance_eval\s*\(|class_eval\s*\(/i, kind: "code-execution" },
+        { pattern: /\bsend\s*\(|public_send\s*\(/i, kind: "code-execution" },
+        { pattern: /\.(?:where|find_by_sql|execute|select)\s*\(\s*(?:"|'|%|#)/i, kind: "sql-query" },
+        { pattern: /\.connection\.execute\s*\(/i, kind: "sql-query" },
+        { pattern: /\bFile\.(?:open|read|write|delete)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bredirect_to\s*\(/i, kind: "redirect" },
+        { pattern: /\bMarshal\.load\s*\(|YAML\.load\s*\(/i, kind: "deserialization" },
+        { pattern: /\b\.html_safe\b/i, kind: "xss" },
+        { pattern: /\braw\s*\(/i, kind: "xss" },
+    ],
+    sanitizers: [
+        /\bERB::Util\.html_escape\s*\(/i,
+        /\bCGI\.escapeHTML\s*\(/i,
+        /\bsanitize\s*\(/i,
+        /\bparams\.(?:require|permit)\s*\(/i,
+        /\.to_i\b|\.to_f\b/i,
+        /\bActiveRecord::Base\.connection\.quote\s*\(/i,
+        /\.(?:where|find_by)\s*\(\s*\w+\s*:\s/i,
+        /\bMarshal\.safe_load\b|YAML\.safe_load\s*\(/i,
+        /\bRegexp\.match\s*\(/i,
+        /\bFile\.expand_path\b.*\.start_with\?\s*\(/i,
+    ],
+    assignPattern: /^\s*(\w+)\s*=\s*(.+)/,
+    guards: [
+        /\bunless\s+\w+\.(?:nil\?|blank\?|empty\?)\b/i,
+        /if[ \t]+\w+\.(?:present\?|valid\?)\b/i,
+        /\braise\s+\w+Error\b/i,
+        /\.(?:validates?|validate!)\s/i,
+    ],
+};
+const KOTLIN_PATTERNS = {
+    sources: [
+        { pattern: /\brequest\.(?:getParameter|getAttribute|getHeader)\s*\(/i, kind: "http-param" },
+        { pattern: /\b@RequestParam\b|\b@PathVariable\b|\b@RequestBody\b/i, kind: "http-param" },
+        { pattern: /\bcall\.receive\b/i, kind: "http-param" },
+        { pattern: /\bcall\.parameters\[/i, kind: "http-param" },
+        { pattern: /\bSystem\.getenv\s*\(/i, kind: "environment" },
+        { pattern: /\breadLine\s*\(\)|Scanner\s*\(\s*System\.`in`\)/i, kind: "user-input" },
+        { pattern: /\bargs\[/i, kind: "user-input" },
+        { pattern: /\bGson\(\)\.fromJson\s*\(/i, kind: "external-data" },
+        { pattern: /\bJson\.decodeFromString\s*\(/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bRuntime\.getRuntime\(\)\.exec\s*\(/i, kind: "command-exec" },
+        { pattern: /\bProcessBuilder\s*\(/i, kind: "command-exec" },
+        { pattern: /\.(?:executeQuery|executeUpdate|createQuery|nativeQuery)\s*\(/i, kind: "sql-query" },
+        { pattern: /\bString\.format\s*\(.*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\"\$\{?\w+\}?.*(?:SELECT|INSERT|UPDATE|DELETE)\b/i, kind: "sql-query" },
+        { pattern: /\bFile\s*\(\s*(?:\$|[^")]+\+)/i, kind: "path-traversal" },
+        { pattern: /\bScriptEngine\b.*\.eval\s*\(/i, kind: "code-execution" },
+        { pattern: /\bObjectInputStream\b.*\.readObject\s*\(/i, kind: "deserialization" },
+    ],
+    sanitizers: [
+        /\bPreparedStatement\b/i,
+        /\bEncoder\.encode\s*\(/i,
+        /\bHtmlUtils\.htmlEscape\s*\(/i,
+        /\bStringEscapeUtils\.escape\w+\s*\(/i,
+        /\b@Valid\b|\b@Validated\b/i,
+        /\brequire\s*\{|check\s*\{/i,
+        /\.(?:toIntOrNull|toLongOrNull|toDoubleOrNull)\s*\(/i,
+        /\bRegex\s*\(.*\)\.matches\s*\(/i,
+    ],
+    assignPattern: /^\s*(?:(?:val|var|private|internal)\s+)?(\w+)\s*(?::\s*[\w<>?, [\]]+\s*)?=\s*(.+)/,
+    guards: [
+        /if[ \t]*\([ \t]*\w+[ \t]*(?:==|!=)[ \t]*null\b/i,
+        /\?\.\s*let\s*\{/i,
+        /\brequire\s*\(/i,
+        /\bcheck\s*\(/i,
+        /if[ \t]*\([ \t]*!?\w+\.(?:isBlank|isEmpty|isNullOrBlank|isNullOrEmpty)\s*\(/i,
+    ],
+};
+const SWIFT_PATTERNS = {
+    sources: [
+        { pattern: /\breq\.(?:content|query|parameters)\b/i, kind: "http-param" },
+        { pattern: /\brequest\.(?:content|query|body)\b/i, kind: "http-param" },
+        { pattern: /\bURLComponents\b.*\.queryItems\b/i, kind: "url-param" },
+        { pattern: /\bProcessInfo\.processInfo\.environment\[/i, kind: "environment" },
+        { pattern: /\bCommandLine\.arguments\b/i, kind: "user-input" },
+        { pattern: /\breadLine\s*\(/i, kind: "user-input" },
+        { pattern: /\bJSONDecoder\(\)\.decode\s*\(/i, kind: "external-data" },
+        { pattern: /\bURLSession\b.*\.data\s*\(/i, kind: "external-data" },
+    ],
+    sinks: [
+        { pattern: /\bProcess\(\)\s*.*arguments/i, kind: "command-exec" },
+        { pattern: /\bNSTask\b/i, kind: "command-exec" },
+        { pattern: /\.(?:execute|prepare)\s*\(\s*(?:".*\\|".*\+)/i, kind: "sql-query" },
+        { pattern: /\bFileManager\b.*\.(?:contentsOfFile|createFile)\s*\(/i, kind: "path-traversal" },
+        { pattern: /\bURL\s*\(\s*fileURLWithPath:\s*(?:\w+\s*\+|"\\)/i, kind: "path-traversal" },
+        { pattern: /\bJSContext\b.*\.evaluateScript\s*\(/i, kind: "code-execution" },
+        { pattern: /\bNSExpression\s*\(/i, kind: "code-execution" },
+        { pattern: /\bNSKeyedUnarchiver\b.*\.unarchiveObject\s*\(/i, kind: "deserialization" },
+        { pattern: /\bResponse\.redirect\s*\(/i, kind: "redirect" },
+    ],
+    sanitizers: [
+        /\baddingPercentEncoding\s*\(/i,
+        /\.replacingOccurrences\s*\(of:.*with:/i,
+        /\bInt\s*\(|Double\s*\(|Float\s*\(/i,
+        /\bNSRegularExpression\b/i,
+        /\bguard\s+let\b/i,
+        /\b\.standardizedFileURL\b|\.resolvingSymlinksInPath\b/i,
+    ],
+    assignPattern: /^\s*(?:(?:let|var)\s+)?(\w+)\s*(?::\s*[\w<>?, [\]?!]+\s*)?=\s*(.+)/,
+    guards: [
+        /guard[ \t]+let\b/i,
+        /if[ \t]+let\b/i,
+        /guard[ \t]+!?\w+\.(?:isEmpty|isNil)\b/i,
+        /\bprecondition\s*\(/i,
+        /\bassert\s*\(/i,
+    ],
+};
+// Map normalized languages to their pattern sets
+const LANGUAGE_PATTERN_MAP = {
+    python: PYTHON_PATTERNS,
+    java: JAVA_PATTERNS,
+    go: GO_PATTERNS,
+    csharp: CSHARP_PATTERNS,
+    rust: RUST_PATTERNS,
+    php: PHP_PATTERNS,
+    ruby: RUBY_PATTERNS,
+    kotlin: KOTLIN_PATTERNS,
+    swift: SWIFT_PATTERNS,
+};
 // ─── Public API ──────────────────────────────────────────────────────────────
 /**
  * Analyze a source file for taint flows: paths from untrusted input to
  * dangerous sinks through variable assignments and string concatenation.
  *
  * For JS/TS, uses the TypeScript compiler AST for precise variable tracking.
- * For other languages, falls back to regex-based lightweight analysis.
+ * For Python, Java, Go, C#, and Rust: uses language-specific source/sink/
+ * sanitizer patterns for deeper analysis.
+ * For other languages, falls back to generic regex-based analysis.
  */
 export function analyzeTaintFlows(code, language) {
     const lang = normalizeLanguage(language);
@@ -222,8 +689,10 @@ export function analyzeTaintFlows(code, language) {
         case "javascript":
         case "typescript":
             return analyzeTypeScriptTaint(code, lang);
-        default:
-            return analyzeRegexTaint(code);
+        default: {
+            const langPatterns = LANGUAGE_PATTERN_MAP[lang];
+            return analyzeRegexTaint(code, langPatterns);
+        }
     }
 }
 // ─── TypeScript / JavaScript Taint Analysis ──────────────────────────────────
@@ -423,13 +892,55 @@ function analyzeTypeScriptTaint(code, language) {
     return deduplicateFlows(flows);
 }
 // ─── Regex-based Taint Analysis (non-JS/TS languages) ────────────────────────
-function analyzeRegexTaint(code) {
+/**
+ * Language-aware sanitizer check: combines global sanitizers with
+ * language-specific ones when available.
+ */
+function isLangSanitized(expression, langPatterns) {
+    if (isSanitized(expression))
+        return true;
+    if (langPatterns) {
+        for (const p of langPatterns.sanitizers) {
+            if (p.test(expression))
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Language-aware guard clause detection: combines global guards with
+ * language-specific guard patterns.
+ */
+function detectLangGuardClauses(varName, sourceLine, sinkLine, codeLines, langPatterns) {
+    const baseReduction = detectGuardClauses(varName, sourceLine, sinkLine, codeLines);
+    if (!langPatterns)
+        return baseReduction;
+    const start = Math.min(sourceLine, sinkLine) - 1;
+    const end = Math.max(sourceLine, sinkLine);
+    let extraGuards = 0;
+    for (let i = start; i < end && i < codeLines.length; i++) {
+        const line = codeLines[i];
+        if (!containsWordBoundary(line, varName))
+            continue;
+        for (const guard of langPatterns.guards) {
+            if (guard.test(line)) {
+                extraGuards++;
+                break;
+            }
+        }
+    }
+    return Math.min(baseReduction + extraGuards * 0.1, 0.35);
+}
+function analyzeRegexTaint(code, langPatterns) {
     const codeLines = code.split("\n");
     const flows = [];
     // Track tainted variable names
     const tainted = new Map();
-    // Assignment pattern: variable = source_expression
-    const assignPattern = /^\s*(?:(?:let|const|var|val|auto)\s+)?(\w+)\s*[:=]\s*(.+)/;
+    // Merge source and sink patterns: language-specific + global
+    const allSources = langPatterns ? [...langPatterns.sources, ...SOURCE_PATTERNS] : SOURCE_PATTERNS;
+    const allSinks = langPatterns ? [...langPatterns.sinks, ...SINK_PATTERNS] : SINK_PATTERNS;
+    // Use language-specific assignment pattern if available
+    const assignPattern = langPatterns?.assignPattern ?? /^\s*(?:(?:let|const|var|val|auto)\s+)?(\w+)\s*[:=]\s*(.+)/;
     for (let i = 0; i < codeLines.length; i++) {
         const line = codeLines[i];
         const lineNum = i + 1;
@@ -438,10 +949,10 @@ function analyzeRegexTaint(code) {
         if (assignMatch) {
             const [, varName, rhs] = assignMatch;
             // Skip sanitized assignments
-            if (isSanitized(rhs))
+            if (isLangSanitized(rhs, langPatterns))
                 continue;
             // Direct source
-            for (const src of SOURCE_PATTERNS) {
+            for (const src of allSources) {
                 if (src.pattern.test(rhs)) {
                     tainted.set(varName, {
                         sourceExpr: rhs.trim(),
@@ -462,16 +973,16 @@ function analyzeRegexTaint(code) {
             }
         }
         // Skip lines with sanitizers for sink checking
-        if (isSanitized(line))
+        if (isLangSanitized(line, langPatterns))
             continue;
         // Check for sinks using tainted data
-        for (const sink of SINK_PATTERNS) {
+        for (const sink of allSinks) {
             if (!sink.pattern.test(line))
                 continue;
             // Check tainted variables (word-boundary aware)
             for (const [varName, info] of tainted) {
                 if (containsWordBoundary(line, varName) && lineNum !== info.sourceLine) {
-                    const guardReduction = detectGuardClauses(varName, info.sourceLine, lineNum, codeLines);
+                    const guardReduction = detectLangGuardClauses(varName, info.sourceLine, lineNum, codeLines, langPatterns);
                     flows.push({
                         source: {
                             line: info.sourceLine,
@@ -486,7 +997,7 @@ function analyzeRegexTaint(code) {
                 }
             }
             // Inline source→sink
-            for (const src of SOURCE_PATTERNS) {
+            for (const src of allSources) {
                 if (src.pattern.test(line)) {
                     const alreadyCaptured = flows.some((f) => f.sink.line === lineNum);
                     if (!alreadyCaptured) {