Vulnflow
High-performance static analysis for JavaScript and Node.js using diffusion-based taint tracking and pattern detection. Research-stage Rust engine with Python tooling on top.
Key metrics
Architecture
Static analysis engine combining code property graphs, eBPF instrumentation, and diffusion-based taint tracking to find security vulnerabilities in JavaScript and Node.js codebases. Multi-language setup with Docker deployment, web UI, and benchmarking harness.
Case study
Vulnflow
Semantic-aware static analysis for JavaScript and Node.js -- built on diffusion-based taint tracking.
Traditional static analysis tools operate on syntax. They match patterns, flag known-bad function calls, and walk ASTs looking for structural problems. Vulnflow takes a different approach: it builds a semantic model of your code -- a code property graph that captures data flow, control flow, and type relationships -- and then uses diffusion-based taint propagation to trace how untrusted data moves through your application.
The problem with pattern matching
Most JavaScript security scanners rely on pattern databases. They know that eval() is dangerous and innerHTML is risky, but they struggle with the indirect cases: a user input that passes through three helper functions, gets destructured, renamed, and eventually reaches a SQL query builder four modules away. Pattern matchers lose the trail. Taint trackers follow it.
Architecture
Vulnflow combines a high-performance Rust engine for graph construction and traversal with Python tooling for analysis orchestration, reporting, and integration with CI pipelines. The Rust layer handles the computationally expensive work -- parsing JavaScript and Node.js source into code property graphs (CPGs), running diffusion-based taint propagation across the graph, and identifying paths where untrusted data reaches sensitive sinks.
graph TB
SRC[JavaScript /
Node.js Source] --> PARSER[Rust Parser
+ CPG Builder]
PARSER --> CPG[Code Property
Graph]
CPG --> TAINT[Diffusion-Based
Taint Tracker]
TAINT --> PATHS[Vulnerability
Paths]
PATHS --> REPORT[Python Reporter
+ Web UI]
subgraph "Analysis Engine (Rust)"
PARSER
CPG
TAINT
end
subgraph "Orchestration (Python)"
REPORT
BENCH[Benchmarking
Harness]
endThe eBPF instrumentation layer adds runtime context to the static analysis. Where pure static analysis has to guess about dynamic behavior -- callback ordering, runtime type coercion, module resolution -- eBPF probes can observe actual execution paths and feed that information back into the graph. This hybrid approach narrows the gap between what the code could do and what it actually does.
Current state
Vulnflow is at the research stage with 64 commits. The core Rust engine builds code property graphs and runs taint diffusion. The Python tooling layer provides a web UI for reviewing findings and a benchmarking harness for measuring detection accuracy against known vulnerability databases. The Docker setup packages both layers for consistent deployment across development and CI environments.
Why Rust for the engine
Code property graphs for real-world Node.js applications can be large -- hundreds of thousands of nodes with millions of edges. The diffusion algorithm touches every edge multiple times during propagation. Rust's zero-cost abstractions and memory model make the difference between analysis that finishes in seconds and analysis that times out in CI. The Python layer handles everything that doesn't need that performance: report generation, CI integration, and the review UI.