Skip to content

seqra/opentaint

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,652 Commits
.github
.github
 
 
cli
cli
 
 
core
core
 
 
docs
docs
 
 
github
github
 
 
gitlab
gitlab
 
 
infra
infra
 
 
logos
logos
 
 
public
public
 
 
rules
rules
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
release-notes-transform.cjs
release-notes-transform.cjs
 
 

Repository files navigation

OpenTaint

The open source taint analysis engine for the AI era

Formal inter-procedural taint analysis — finds what pattern matching engines miss, enacts what LLM agents discover as rules, scales where neither can alone.

GitHub release Go Report Card License: Apache 2.0 Go Version Discord

English | 简体中文 | 繁體中文 | 한국어 | Deutsch | Español | Français | Italiano | Dansk | 日本語 | Polski | Русский | Bosanski | العربية | Norsk | Português (Brasil) | ไทย | Türkçe | Українська | বাংলা | Ελληνικά | Tiếng Việt

OpenTaint summary output

Supported technologies and integrations

Java     Kotlin     Spring     GitHub      GitLab

The most thorough taint analysis engine for Spring apps

Roadmap

Python     Go     C#     JavaScript     TypeScript

More screenshots

OpenTaint scan output

OpenTaint summary output

OpenTaint summary output

OpenTaint summary output

Why OpenTaint

AI generates production code faster than today's security tooling can keep up with.

LLM security agents find vulnerabilities humans miss, burn tokens on every file, and still can't guarantee they catch everything.

The more AI writes code, the more you need formal methods underneath.

  • Find what pattern matching engines miss. The inter-procedural dataflow engine tracks untrusted data across function boundaries, persistence layers, aliases, and async code.
  • One finding becomes total coverage. Code-native rules let you enact every uncovered vulnerability as a rule with the engine applying it across the entire codebase, deterministically, in minutes of CPU.
  • Open source, batteries included. Engine, rules, CI integrations — the entire stack ships under Apache 2.0 and MIT. No paid tier to unlock taint tracking, no gates on writing your own rules.

Quick Start

Install script (Linux/macOS)

curl -fsSL https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.sh | bash

Install via Homebrew (Linux/macOS):

brew install --cask seqra/tap/opentaint

Install script (Windows PowerShell)

irm https://raw.githubusercontent.com/seqra/opentaint/main/scripts/install/install.ps1 | iex

Scan your project:

opentaint scan --output results.sarif /path/to/your/spring/project

Or use Docker:

docker run --rm -v $(pwd):/project -v $(pwd):/output \
  ghcr.io/seqra/opentaint:latest \
  opentaint scan --output /output/results.sarif /project

For more options, see Installation and Usage.

Documentation

Full guides — installation, usage, configuration, CI/CD integration: Documentation.

Support

License

The core analysis engine is released under the Apache 2.0 License. The CLI, GitHub Action, GitLab CI template, and rules are released under the MIT License.

About

The open source taint analysis engine for the AI era

opentaint.org

Topics

kotlin java security spring static-analysis vulnerabilities taint-analysis vulnerability-detection vulnerability-scanners security-tools sast seqra

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

35 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases 34

v0.1.1 Latest
Mar 31, 2026
+ 33 releases

Packages

 
 
 

Contributors

Languages