Formal taint analysis for application security — finds what AST-pattern matchers miss, lets LLM agents enact vulnerabilities as rules, scales where neither can alone.
English | 简体中文 | 繁體中文 | 한국어 | Deutsch | Español | Français | Italiano | Dansk | 日本語 | Polski | Русский | Bosanski | العربية | Norsk | Português (Brasil) | ไทย | Türkçe | Українська | বাংলা | Ελληνικά | Tiếng Việt
Supported technologies and integrations
The most thorough taint analysis engine for Spring apps
Roadmap
More screenshots
OpenTaint is an open-source alternative to Semgrep Pro and CodeQL — a formal inter-procedural taint engine you can customize and self-host, built so AI agents drive your security analysis without burning tokens on every scan.
AI generates production code faster than security teams can keep up with, and the two kinds of tooling built to catch what it gets wrong each force a bad trade-off:
- AST-pattern matchers (Semgrep OSS, ast-grep, linters) are free and fast, but they match syntax, not data flow — untrusted input that crosses a function boundary or a persistence layer slips right past. The deeper, inter-procedural analysis that does catch it has long been locked inside proprietary tools.
- LLM security agents find what pattern matchers miss, but they re-read your code on every run. The tokens add up with every file, every commit, every CI build — and a probabilistic model still can't promise it caught everything.
OpenTaint gives you the depth of an LLM agent at the cost of a static analyzer:
- Find what AST-pattern matchers miss. A formal inter-procedural dataflow engine tracks untrusted data across function boundaries, persistence layers, aliases, and async code.
- Pay the model once, not on every scan. Let an agent distill a single finding into a taint rule. The deterministic engine then replays that rule across the entire codebase — and every commit after it — in minutes of CPU, at zero token cost.
- Open source, batteries included. Engine, rules, and CI integrations come as one stack under Apache 2.0 and MIT.
Install script (Linux/macOS)
curl -fsSL https://opentaint.org/install.sh | bash
Install via Homebrew (Linux/macOS):
brew install --cask seqra/tap/opentaintInstall script (Windows PowerShell)
irm https://opentaint.org/install.ps1 | iex
Install via npm (Linux/macOS/Windows):
npm install -g @seqra/opentaintOr run instantly with npx — no install required (needs Node.js):
npx @seqra/opentaint scanScan your project:
opentaint scanOr use Docker:
docker run --rm -v $(pwd):/project -v $(pwd):/output \
ghcr.io/seqra/opentaint:latest \
opentaint scan --output /output/results.sarif /projectFor more options, see Installation and Usage.
OpenTaint includes agent skills that turn static analysis into an end-to-end application-security workflow. Install them with:
npx skills add https://github.com/seqra/opentaintThe appsec-agent skill orchestrates a full project assessment: build the project, run OpenTaint, discover the attack surface, add targeted rules, model missing library data flows, triage findings, and optionally generate dynamic proof-of-concept checks for confirmed vulnerabilities.
Included skills cover the common security-analysis loop:
- Scan and triage:
build-project,run-scan,analyze-findings,generate-poc - Coverage expansion:
triage-dependencies,discover-attack-surface,create-test-project,create-rule,assemble-lib-rules - Dataflow modeling:
analyze-external-methods,create-pass-through-approximation,create-dataflow-approximation,debug-rule,report-analyzer-issue
Full guides — installation, usage, configuration, CI/CD integration: Documentation.
- Issues: GitHub Issues
- Community: Discord
- Email: seqradev@gmail.com
The core analysis engine is released under the Apache 2.0 License. The CLI, GitHub Action, GitLab CI template, and rules are released under the MIT License.