← All Docs

Supported Languages

CodeVigil supports 10 programming languages with 100+ vulnerability patterns.

Language Support Overview

CodeVigil ships with 100+ vulnerability patterns across 10 programming languages. Each language has detectors tailored to its specific ecosystem, frameworks, and common vulnerability patterns. The pattern count includes both language-specific detectors (listed below) and cross-language patterns for secret detection, configuration issues, and generic vulnerability signatures that apply across all supported languages.

Language detection is automatic. CodeVigil identifies the language of each file based on its extension and VS Code's language identifier, then applies the relevant detectors.

Languages and Pattern Counts

JavaScript (12 patterns)

  • SQL injection (string concatenation in queries)
  • Cross-site scripting (innerHTML, dangerouslySetInnerHTML)
  • Command injection (exec, spawn with user input)
  • Path traversal (unsanitized file paths)
  • Insecure randomness (Math.random for security)
  • Prototype pollution
  • Open redirect
  • Hardcoded secrets (API keys, tokens)
  • Insecure cookie settings
  • eval() with dynamic input
  • Regex denial of service (ReDoS)
  • Insecure postMessage handling

TypeScript (12 patterns)

All JavaScript patterns apply, with additional TypeScript-specific detectors:

  • Type assertion bypasses (as any in security contexts)
  • Unsafe type coercion in authentication logic

Python (10 patterns)

  • SQL injection (f-strings and format() in queries)
  • Command injection (os.system, subprocess with shell=True)
  • Insecure deserialization (pickle.loads, yaml.load)
  • Path traversal (os.path.join with user input)
  • Hardcoded secrets
  • Weak cryptography (MD5, SHA-1 for passwords)
  • SSRF (requests.get with user-supplied URL)
  • Template injection (Jinja2 with user input)
  • Debug mode in production (Flask debug=True)
  • Insecure temporary file creation

Java (9 patterns)

  • SQL injection (Statement with concatenation)
  • XML external entity (XXE) injection
  • Insecure deserialization (ObjectInputStream)
  • Path traversal
  • Weak cryptography
  • Hardcoded credentials
  • LDAP injection
  • Server-side request forgery
  • Insecure random number generation

Go (8 patterns)

  • SQL injection (fmt.Sprintf in queries)
  • Command injection (exec.Command with user input)
  • Path traversal
  • Insecure TLS configuration
  • Hardcoded secrets
  • Race conditions (shared state without mutex)
  • Unvalidated redirects
  • Missing error handling in security contexts

C# (7 patterns)

  • SQL injection (string concatenation in SqlCommand)
  • Cross-site scripting (Html.Raw)
  • Path traversal
  • Insecure deserialization (BinaryFormatter)
  • Weak cryptography
  • Hardcoded connection strings
  • Open redirect

PHP (8 patterns)

  • SQL injection (mysql_query with concatenation)
  • Cross-site scripting (echo without htmlspecialchars)
  • Command injection (exec, system, passthru)
  • File inclusion (include/require with user input)
  • Insecure deserialization (unserialize)
  • Path traversal
  • Weak cryptography
  • Session fixation

Ruby (6 patterns)

  • SQL injection (string interpolation in ActiveRecord queries)
  • Command injection (system, backticks, exec with user input)
  • Cross-site scripting (raw/html_safe in Rails views)
  • Insecure deserialization (Marshal.load, YAML.load)
  • Path traversal (File.read with user input)
  • Mass assignment (permit bypasses in Rails)

C/C++ (6 patterns)

  • Buffer overflow (strcpy, sprintf, gets)
  • Format string vulnerability
  • Integer overflow
  • Use-after-free patterns
  • Null pointer dereference
  • Command injection (system, popen)

Kotlin (7 patterns)

  • SQL injection (string templates in database queries)
  • Command injection (Runtime.exec with user input)
  • Insecure deserialization (ObjectInputStream)
  • Path traversal
  • Hardcoded secrets
  • Weak cryptography
  • XML external entity (XXE) injection

Detection Methodology

Each vulnerability pattern is implemented as a combination of:

  • Syntax pattern matching: Identifies code structures known to be vulnerable
  • Data flow analysis: Tracks whether user-controlled input reaches security-sensitive sinks
  • Contextual analysis: Considers the surrounding code to reduce false positives

CodeVigil is designed to favor precision over recall. We would rather miss an occasional edge case than flood your editor with false positives. Each pattern has been tested against thousands of real-world code samples to ensure a high signal-to-noise ratio.

Requesting New Patterns

If you encounter a vulnerability pattern that CodeVigil does not detect, we would love to hear about it. You can request new patterns through:

  • The GitHub issue tracker
  • The @codevigil suggest pattern command in Copilot Chat
  • Email at hello@bitsplus.ai

We regularly review pattern requests and add new detectors in monthly updates.