HN Showcase
Back to browse
Cognium – Tree-sitter+taint Tracking SAST for Java,Python,JS,Rust

Cognium – Tree-sitter+taint Tracking SAST for Java,Python,JS,Rust

by openmason·Mar 25, 2026·4 points·1 comment
Visit ProjectView on HN

AI Analysis

●●SolidBig BrainDark HorseSolve My Problem

Beats CodeQL on CWE-Bench with optional LLM enhancement mode.

Strengths
  • Deterministic 5-stage pipeline with reproducible OWASP benchmark scores, not marketing claims
  • Inter-procedural taint tracking across functions instead of regex pattern matching
  • LLM enhancement mode swaps models via env var with no vendor lock-in
Weaknesses
  • 42.5% CVE detection without LLM leaves significant coverage gaps for production use
  • SAST category already has CodeQL, Semgrep, SonarQube with enterprise backing
Category
Security
Target Audience

Security engineers, backend developers, DevSecOps teams

Similar To

CodeQL · Semgrep · SonarQube

Post Description

open-source static analysis tool for finding security vulnerabilities

Similar Projects

Developer Tools●●●Banger

Local, privacy-first MCP code intelligence in Rust

AST-aware codebase search and onboarding beats grep, ships as local MCP server.

Big BrainSolve My ProblemWizardry
avirajkhare
103mo ago
Developer Tools●●Solid

A universal code formatter using Rust, Tree-sitter, and Rhai

Neatify exposes AST-level formatting as live Rhai scripts, so you write real code to shape output instead of tweaking a dozen JSON flags. The Tree-sitter backbone means any language with a grammar can be targeted, and the repo-first flavoring plus LLM-assisted script generation is a smart, practical twist. It's clearly early-stage (defaults modify files in-place and coverage is limited), but the architecture is an interesting alternative to opinionated, black-box formatters.

WizardryNiche Gem
its-a-new-world
233mo ago