SAST Supported Languages

Radar's SAST engine supports a wide range of programming languages and frameworks. The analysis engine adapts its detection rules based on language-specific patterns and idioms, ensuring that vulnerabilities are identified using the conventions and APIs unique to each ecosystem.

When you connect a repository, Radar automatically identifies all languages present in the codebase and applies the appropriate analysis rules. There is no manual configuration required to enable scanning for a specific language. If your repository contains multiple languages (for example, a JavaScript frontend with a Python backend), Radar analyzes all of them in a single scan.

JavaScript / TypeScript

Radar provides deep analysis of JavaScript and TypeScript codebases, covering both frontend and backend patterns across the most widely used frameworks and runtimes.

Supported Frameworks and Runtimes: Node.js, React, Angular, Vue.js, Express, Next.js, Fastify, Koa, NestJS, Deno, Bun

What Radar Detects:

• Prototype Pollution - unsafe merging of user-controlled objects into Object.prototype or other built-in prototypes, which can lead to property injection across all objects in the application
• Cross-Site Scripting (XSS) - dangerous patterns in JSX, template literals, Vue templates, and Angular bindings where user input is rendered without sanitization, including dangerouslySetInnerHTML, v-html, and [innerHTML]
• Insecure eval() - dynamic code evaluation using eval(), Function(), setTimeout(string), or setInterval(string) with user-controlled input
• DOM Manipulation - unsafe use of innerHTML, outerHTML, document.write(), and other DOM APIs that accept raw HTML
• Module Hijacking - dynamic require() or import() with user-controlled module paths that could load attacker-controlled code
• Regular Expression Denial of Service (ReDoS) - regex patterns with exponential backtracking behavior that can cause application hangs when processing crafted input
• Unsafe innerHTML - direct assignment of user-controlled strings to element innerHTML properties without sanitization
• Insecure Dependencies - usage patterns of known-vulnerable npm package APIs, complementing SCA analysis
• NoSQL Injection - MongoDB query operator injection through unsanitized request body objects, particularly $gt, $ne, and $regex operators
• Command Injection - user input passed to child_process.exec(), execSync(), or spawn() with shell option enabled
• Path Traversal - file system operations using fs.readFile(), fs.writeFile(), or fs.createReadStream() with user-controlled paths

Python

Radar analyzes Python applications across web frameworks, data processing pipelines, and CLI tools, with rules tuned to Python-specific vulnerability patterns.

Supported Frameworks and Libraries: Django, Flask, FastAPI, SQLAlchemy, Tornado, Pyramid, aiohttp, Celery, Boto3

What Radar Detects:

• SQL Injection via ORM Bypass - raw SQL execution through Django's raw(), SQLAlchemy's text(), or direct cursor operations that bypass ORM protections, especially when using string formatting with f-strings, .format(), or % operator
• Jinja2 Template Injection - server-side template injection when user input is passed directly to Template() constructor or rendered with |safe filter without validation
• Pickle Deserialization - use of pickle.loads(), pickle.load(), shelve, or joblib.load() with untrusted data, which can lead to arbitrary code execution
• OS Command Injection - user input passed to os.system(), os.popen(), subprocess.call() with shell=True, or subprocess.run() with shell expansion
• SSRF in Requests Library - unvalidated URLs passed to requests.get(), requests.post(), urllib.request.urlopen(), or httpx client methods
• Insecure YAML Loading - use of yaml.load() without Loader=SafeLoader, which allows arbitrary Python object instantiation
• Insecure Deserialization - marshal.loads() and other deserialization functions applied to untrusted input
• Hardcoded Secrets - credentials, API keys, and tokens assigned to variables or passed as default parameter values
• Path Traversal - open(), pathlib.Path(), or os.path.join() with user-controlled path components without proper validation
• Django-Specific Issues - DEBUG = True in production settings, ALLOWED_HOSTS = ['*'], missing CSRF middleware, mark_safe() with user input

Java

Radar provides comprehensive analysis of Java applications, covering enterprise frameworks, build systems, and the extensive Java standard library.

Supported Frameworks and Build Systems: Spring Boot, Spring MVC, Spring Security, Jakarta EE (Java EE), Hibernate, JPA, Maven, Gradle, Apache Struts, Apache Camel

What Radar Detects:

• SQL Injection via JDBC/JPA - string concatenation in Statement.execute(), PreparedStatement constructed with user input outside parameter placeholders, and HQL/JPQL injection through string building
• XXE in XML Parsers - DocumentBuilderFactory, SAXParserFactory, XMLInputFactory, and TransformerFactory instances without disabling external entity processing or DTD loading
• Insecure Deserialization - ObjectInputStream.readObject() applied to untrusted input, as well as known gadget chains in popular libraries like Commons Collections, Spring, and Apache Commons
• LDAP Injection - user input in LDAP filter strings passed to DirContext.search() without proper escaping via LdapEncoder
• Expression Language Injection - user-controlled input evaluated in Spring Expression Language (SpEL), OGNL, or EL expressions, which can lead to remote code execution
• Path Traversal via File API - new File(), Paths.get(), or FileInputStream constructed with user-controlled paths without canonicalization checks
• Command Injection - user input passed to Runtime.exec(), ProcessBuilder, or shell commands without input validation
• Insecure Random - use of java.util.Random instead of java.security.SecureRandom for security-sensitive values like tokens, session IDs, or cryptographic keys
• Hardcoded Credentials - passwords and keys in Java source files, application.properties, and application.yml
• Missing Authorization Annotations - Spring controllers or endpoints without @PreAuthorize, @Secured, or @RolesAllowed annotations on sensitive operations
• Weak Cryptography - use of DES, 3DES, RC4, MD5, or SHA1 for encryption or integrity verification

C# / .NET

Radar analyzes C# and .NET applications across web, desktop, and mobile platforms, with deep understanding of the .NET framework ecosystem and its security APIs.

Supported Frameworks and Libraries: ASP.NET Core, ASP.NET MVC, Entity Framework Core, Entity Framework 6, Razor Pages, Blazor, SignalR, Dapper, Xamarin, MAUI

What Radar Detects:

• SQL Injection via ADO.NET/EF - SqlCommand with concatenated queries, Entity Framework FromSqlRaw() and ExecuteSqlRaw() with interpolated strings instead of parameterized queries, and Dapper raw SQL with string formatting
• XSS in Razor Views - @Html.Raw() with user-controlled input, missing encoding in Razor expressions, and JavaScript blocks with server-rendered values
• Insecure Deserialization - BinaryFormatter.Deserialize(), SoapFormatter, NetDataContractSerializer, LosFormatter, and JSON.NET with TypeNameHandling set to All, Auto, or Objects
• CSRF Missing Antiforgery - POST/PUT/DELETE actions without [ValidateAntiForgeryToken] attribute or missing @Html.AntiForgeryToken() in forms
• Path Traversal - System.IO.File operations, Path.Combine(), or FileStream with user-controlled paths without Path.GetFullPath() canonicalization
• LDAP Injection - user input in DirectorySearcher.Filter or DirectoryEntry path without proper escaping
• Hardcoded Connection Strings - database credentials embedded in appsettings.json, web.config, or directly in C# source code instead of using secret management
• Insecure Cookie Configuration - cookies created without Secure, HttpOnly, or SameSite flags
• Open Redirect - Redirect() or RedirectToAction() with user-controlled URLs without validation via Url.IsLocalUrl()
• Weak Cryptography - use of MD5CryptoServiceProvider, SHA1CryptoServiceProvider, DESCryptoServiceProvider, or RNGCryptoServiceProvider replacements needed

Go

Radar analyzes Go applications with focus on the standard library's extensive use in production systems and the common patterns in Go web frameworks.

Supported Frameworks and Libraries: Standard library (net/http, database/sql, os/exec), Gin, Echo, Fiber, Chi, GORM, Gorilla

What Radar Detects:

• SQL Injection in database/sql - string concatenation or fmt.Sprintf() in query strings passed to db.Query(), db.Exec(), or db.QueryRow() instead of using parameterized placeholders
• Command Injection via os/exec - user input passed to exec.Command() with shell expansion or arguments constructed through string concatenation
• Path Traversal - os.Open(), os.ReadFile(), or http.ServeFile() with user-controlled paths without filepath.Clean() and base directory validation
• Template Injection - text/template used instead of html/template for rendering HTML, or user input passed directly to template.New().Parse()
• Insecure TLS Configuration - tls.Config with InsecureSkipVerify: true, weak minimum TLS version, or disabled certificate validation
• Race Conditions - shared mutable state accessed by multiple goroutines without proper synchronization using mutexes or channels
• SSRF - unvalidated URLs in http.Get(), http.Post(), or custom http.Client requests
• Hardcoded Credentials - secrets in Go source files, .env files parsed at runtime, or configuration structs with default values
• Missing Error Handling - security-relevant function returns where errors are discarded with _, potentially masking authentication or authorization failures
• Insecure Random - use of math/rand instead of crypto/rand for security-sensitive values

PHP

Radar analyzes PHP applications across modern frameworks and legacy codebases, detecting both contemporary and historically prevalent vulnerability patterns.

Supported Frameworks and Libraries: Laravel, Symfony, WordPress, CodeIgniter, CakePHP, PDO, MySQLi, Composer packages

What Radar Detects:

• SQL Injection - string concatenation in mysqli_query(), PDO::query() without prepared statements, Laravel's DB::raw() and whereRaw() with unsanitized input
• XSS in Templates - unescaped output in Blade templates using {!! !!}, Twig |raw filter, or direct echo of user input without htmlspecialchars()
• File Inclusion - dynamic include, include_once, require, or require_once with user-controlled paths enabling local or remote file inclusion (LFI/RFI)
• Command Injection - user input in exec(), system(), passthru(), shell_exec(), proc_open(), or backtick operator without escapeshellarg()/escapeshellcmd()
• Insecure Deserialization - unserialize() with user-controlled data, enabling object injection through PHP magic methods (__wakeup, __destruct, __toString)
• Directory Traversal - file_get_contents(), fopen(), readfile(), or file_put_contents() with user-controlled paths containing ../ sequences
• Type Juggling - loose comparison (==) on security-critical values like passwords or tokens, where PHP's type coercion can bypass authentication
• Hardcoded Credentials - database passwords and API keys in config.php, .env files committed to repositories, or WordPress wp-config.php
• SSRF - file_get_contents(), curl_exec(), or Guzzle HTTP client with user-controlled URLs
• Session Fixation - missing session_regenerate_id() after authentication, allowing session hijacking

Ruby

Radar analyzes Ruby applications with particular depth in Rails applications, where convention-over-configuration patterns create specific vulnerability profiles.

Supported Frameworks and Libraries: Ruby on Rails, Sinatra, ERB, Haml, Slim templates, ActiveRecord, Sequel, Grape API

What Radar Detects:

• SQL Injection via ActiveRecord - string interpolation in where(), find_by_sql(), order(), group(), pluck(), and having() methods instead of parameterized placeholders
• XSS in ERB/Haml - raw() helper, html_safe on user input, <%== %> tags, and missing output encoding in JavaScript blocks within templates
• Mass Assignment - models without proper strong_parameters usage, or permit! allowing all attributes, enabling attackers to modify protected fields like admin or role
• Command Injection - user input in backtick operator, system(), exec(), %x{}, IO.popen(), or Open3.capture3() without input validation
• Insecure Deserialization - Marshal.load(), YAML.load() (before Ruby 3.1), or JSON.parse() with custom object creation on untrusted data
• CSRF - missing protect_from_forgery in controllers, skip_before_action :verify_authenticity_token on state-changing actions
• Open Redirect - redirect_to with user-controlled URLs without only_path: true or host validation
• Insecure Direct Object Reference - params[:id] used directly in find() without scoping to current user's records
• Hardcoded Secrets - credentials in database.yml, secrets.yml, initializers, or environment configuration files

Swift / Objective-C

Radar analyzes iOS and macOS applications, detecting mobile-specific security issues alongside standard vulnerability patterns.

Supported Frameworks: UIKit, SwiftUI, Foundation, Security framework, URLSession, Core Data, SQLite

What Radar Detects:

• Insecure Data Storage - sensitive information stored in UserDefaults, NSUserDefaults, plist files, or unprotected NSCoding archives instead of the Keychain
• Insecure Network Configuration - App Transport Security (ATS) exceptions in Info.plist that allow HTTP connections, disabled certificate pinning, or URLSession with serverTrust evaluation disabled
• Hardcoded Credentials - API keys, passwords, and tokens as string literals in Swift/Objective-C source files or embedded in asset catalogs
• SQL Injection in SQLite - string interpolation in SQLite queries via sqlite3_exec() or FMDB without parameterized statements
• Insecure Keychain Usage - keychain items stored with kSecAttrAccessibleAlways or other accessibility settings that expose data when the device is locked
• Clipboard Data Exposure - sensitive data copied to UIPasteboard.general which is accessible to other applications
• Insecure WebView - WKWebView or deprecated UIWebView loading untrusted content with JavaScript enabled and without proper content validation
• Jailbreak Detection Bypass - weak jailbreak detection that can be easily circumvented by attackers
• Missing Certificate Pinning - HTTPS connections that rely solely on the system trust store without pinning expected certificates or public keys

Kotlin

Radar analyzes Kotlin applications for both Android and server-side JVM targets, detecting Kotlin-specific patterns in addition to the full Java analysis ruleset.

Supported Frameworks: Android SDK, Jetpack Compose, Spring Boot (Kotlin), Ktor, Exposed ORM, Kotlin Coroutines

What Radar Detects:

• All Java detections - Radar applies the full Java ruleset to Kotlin code, including SQL injection, XXE, insecure deserialization, LDAP injection, and expression language injection
• Unsafe Coroutine Handling - security-sensitive operations in coroutines without proper exception handling using CoroutineExceptionHandler, potentially masking authentication or authorization failures
• Insecure SharedPreferences - storing sensitive data like tokens, passwords, or personal information in SharedPreferences instead of EncryptedSharedPreferences or the Android Keystore
• Intent Injection - exported activities, services, or broadcast receivers that process unvalidated Intent extras, enabling privilege escalation or data theft
• WebView Vulnerabilities - WebView with setJavaScriptEnabled(true) loading untrusted URLs, or addJavascriptInterface() exposing native functionality to web content
• Insecure Network Configuration - NetworkSecurityConfig allowing cleartext traffic or custom trust anchors, and OkHttp clients with hostnameVerifier or sslSocketFactory overrides that disable certificate validation
• Hardcoded Secrets - API keys and credentials in Kotlin source, build.gradle.kts, or local.properties files
• Content Provider Exposure - exported ContentProvider without proper permission enforcement, allowing unauthorized data access from other applications

C / C++

Radar analyzes C and C++ codebases for memory safety issues and common vulnerability patterns in systems-level code.

What Radar Detects:

• Buffer Overflow - writes beyond allocated buffer boundaries in strcpy(), strcat(), sprintf(), gets(), and fixed-size array operations
• Format String Vulnerabilities - user-controlled format strings in printf(), fprintf(), syslog(), and similar functions enabling arbitrary memory read/write
• Use-After-Free - access to memory after free() or delete, potentially leading to code execution
• Integer Overflow - arithmetic operations on untrusted integers without bounds checking before memory allocation or array indexing
• Command Injection - user input passed to system(), popen(), or exec*() family functions without sanitization
• Insecure Memory Functions - use of memcpy(), memmove() with unchecked size parameters derived from user input
• Null Pointer Dereference - missing null checks after malloc(), calloc(), or pointer-returning functions
• Hardcoded Credentials - passwords, keys, and tokens as string literals or #define constants
• Weak Cryptography - use of deprecated OpenSSL functions, DES, RC4, MD5, or insecure random number generators like rand()

Rust

Radar analyzes Rust applications, focusing on unsafe blocks and FFI boundaries where Rust's safety guarantees do not apply.

Supported Frameworks: Actix-web, Axum, Rocket, Tokio, Hyper, Diesel, SQLx, Serde

What Radar Detects:

• Unsafe Block Misuse - raw pointer dereferencing, unchecked type transmutations, and manual memory management in unsafe blocks
• FFI Safety Issues - incorrect assumptions about data layout, lifetime, or nullability at foreign function interface boundaries
• SQL Injection - raw SQL queries with string formatting in Diesel's sql_query() or SQLx's query() without bind parameters
• Command Injection - user input passed to std::process::Command with shell expansion
• Path Traversal - std::fs operations with user-controlled paths without canonicalization
• Insecure Deserialization - Serde deserialize_any or custom deserializers on untrusted input enabling unexpected type instantiation
• SSRF - unvalidated URLs in Hyper, Reqwest, or other HTTP client requests
• Hardcoded Secrets - API keys and credentials as string constants or in configuration files
• Panic in Production - unwrap(), expect(), or panic!() on user-controlled input paths that could crash the service

Scala

Radar analyzes Scala applications for both JVM and Play Framework patterns, applying Java rules plus Scala-specific detections.

Supported Frameworks: Play Framework, Akka HTTP, Spark, Slick, Cats, ZIO

What Radar Detects:

• All Java detections - Radar applies the full Java ruleset to Scala bytecode-compatible patterns
• SQL Injection in Slick - string interpolation in sql interpolator without proper #$ vs $ distinction, and raw SQL via StaticQuery
• Template Injection - user input in Twirl templates rendered without escaping
• XML Injection - Scala's native XML literals with embedded user expressions
• Insecure Deserialization - Java serialization via Scala case classes, Kryo without class registration
• Hardcoded Secrets - credentials in application.conf, build.sbt, or Scala source files

Dart / Flutter

Radar analyzes Dart and Flutter applications for mobile-specific and web-specific security issues.

Supported Frameworks: Flutter, Dart HTTP, Dio, Shelf, Aqueduct

What Radar Detects:

• Insecure Data Storage - sensitive data in SharedPreferences or unencrypted local storage instead of flutter_secure_storage
• Hardcoded Credentials - API keys and tokens in Dart source, pubspec.yaml, or asset files
• Insecure Network Configuration - HTTP connections without TLS, disabled certificate verification in HttpClient
• SQL Injection - string concatenation in sqflite queries without parameterized statements
• WebView Vulnerabilities - webview_flutter loading untrusted URLs with JavaScript enabled
• Platform Channel Injection - unvalidated data received through method channels from native code
• Path Traversal - file operations with user-controlled paths via dart:io

Terraform / HCL

Radar analyzes Infrastructure as Code files to detect security misconfigurations before deployment.

Supported Providers: AWS, Azure, Google Cloud, Kubernetes

What Radar Detects:

• Public S3 Buckets - acl = "public-read" or missing block_public_access configuration
• Open Security Groups - ingress rules with 0.0.0.0/0 on sensitive ports (SSH, RDP, databases)
• Unencrypted Resources - EBS volumes, RDS instances, S3 buckets, and storage accounts without encryption enabled
• Overly Permissive IAM - policies with * actions or * resources, admin-level permissions on service accounts
• Missing Logging - CloudTrail, VPC Flow Logs, or Azure Activity Logs not configured
• Exposed Databases - RDS, Azure SQL, or Cloud SQL instances with publicly_accessible = true
• Hardcoded Secrets - credentials in terraform.tfvars, variables.tf defaults, or provider configuration blocks
• Insecure TLS Settings - minimum TLS version below 1.2, weak cipher suites on load balancers

Dockerfile

Radar analyzes Dockerfiles for container security best practices and misconfigurations.

What Radar Detects:

• Running as Root - missing USER instruction, containers running as root by default
• Hardcoded Secrets - ENV or ARG instructions containing credentials, tokens, or passwords
• Insecure Base Images - use of latest tag, deprecated images, or images with known vulnerabilities
• Exposed Ports - unnecessary port exposure or sensitive service ports (database, admin)
• Missing Health Checks - no HEALTHCHECK instruction for production containers
• Insecure Package Installation - apt-get install without version pinning, --no-verify flags
• Copy of Sensitive Files - COPY or ADD instructions that may include .env, .git, or credential files

Bash / Shell

Radar analyzes shell scripts for injection vulnerabilities and insecure patterns.

What Radar Detects:

• Command Injection - unquoted variables in command arguments, especially with user-controlled input from $1, $@, or environment variables
• Path Injection - relative paths in scripts without PATH hardening, allowing path hijacking
• Insecure Temp Files - mktemp misuse or predictable temp file names vulnerable to symlink attacks
• Hardcoded Credentials - passwords, tokens, and keys as variable assignments or command arguments
• Insecure curl/wget - --insecure, -k flags disabling TLS verification, or piping downloads directly to sh/bash
• Unquoted Variables - word splitting and globbing issues with unquoted $variable in conditional expressions and file operations

Next Steps