Supported Languages

Languages and frameworks supported by PrismSec's security scanning.

PrismSec supports security scanning across the most popular programming languages and frameworks. Each language has varying levels of support across the four security pillars: SAST, Secret Detection, Dependencies (SCA), and IaC & Misconfiguration.

Language Support Matrix

| Language | SAST | Secret Detection | Dependencies (SCA) | IaC & Misconfiguration | |----------|------|------------------|--------------------|-----------------------| | JavaScript / TypeScript | ✅ Full | ✅ Full | ✅ Full | ✅ Full | | Python | ✅ Full | ✅ Full | ✅ Full | ✅ Full | | Go | ✅ Full | ✅ Full | ✅ Full | ✅ Full | | Java | ✅ Full | ✅ Full | ✅ Full | ✅ Full | | PHP | ✅ Full | ✅ Full | ✅ Full | ✅ Full | | Ruby | 🚧 Beta | ✅ Full | ✅ Full | ✅ Full | | C# / .NET | 🚧 Beta | ✅ Full | ✅ Full | ✅ Full | | Rust | ⏳ Planned | ✅ Full | ✅ Full | N/A | | Kotlin | ⏳ Planned | ✅ Full | ✅ Full | N/A | | Swift | ⏳ Planned | ✅ Full | ✅ Full | N/A |

Legend:

✅ Full — Complete support with context-aware analysis
🚧 Beta — Available for testing, may have limited coverage
⏳ Planned — Coming soon
N/A — Not applicable for this language

Secret detection works across all languages and file types, including configuration files, shell scripts, and documentation.

JavaScript / TypeScript

SAST Coverage

Frameworks: React, Vue, Angular, Next.js, Express, NestJS, Fastify
Vulnerabilities: XSS, SQL injection (via ORMs), NoSQL injection, SSRF, command injection, path traversal, insecure deserialization
Data flow analysis: Full taint tracking across async/await, promises, callbacks

Dependency Scanning (SCA)

Package managers: npm, Yarn, pnpm
Manifest files: package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Transitive dependencies: Yes
Reachability analysis: Yes

Python

SAST Coverage

Frameworks: Django, Flask, FastAPI, Pyramid, Tornado
Vulnerabilities: SQL injection, command injection, SSRF, XSS (template rendering), path traversal, insecure deserialization (pickle, YAML), LDAP injection
Data flow analysis: Full taint tracking across functions, classes, and modules

Dependency Scanning (SCA)

Package managers: pip, Poetry, Pipenv
Manifest files: requirements.txt, Pipfile, Pipfile.lock, pyproject.toml, poetry.lock
Transitive dependencies: Yes
Reachability analysis: Yes

Go

SAST Coverage

Frameworks: Gin, Echo, Chi, Fiber, standard net/http
Vulnerabilities: SQL injection, command injection, SSRF, path traversal, race conditions, insecure randomness
Data flow analysis: Full taint tracking across goroutines and channels

Dependency Scanning (SCA)

Package managers: Go modules
Manifest files: go.mod, go.sum
Transitive dependencies: Yes
Reachability analysis: Yes

Java

SAST Coverage

Frameworks: Spring Boot, Jakarta EE, Micronaut, Quarkus, Struts
Vulnerabilities: SQL injection, command injection, XML injection, LDAP injection, insecure deserialization, SSRF, path traversal
Data flow analysis: Full taint tracking across classes, methods, and threads

Dependency Scanning (SCA)

Package managers: Maven, Gradle
Manifest files: pom.xml, build.gradle, build.gradle.kts
Transitive dependencies: Yes
Reachability analysis: Yes

PHP

SAST Coverage

Frameworks: Laravel, Symfony, WordPress, CodeIgniter, Yii
Vulnerabilities: SQL injection, XSS, command injection, file inclusion, SSRF, path traversal, insecure deserialization
Data flow analysis: Full taint tracking across functions, classes, and includes

Dependency Scanning (SCA)

Package managers: Composer
Manifest files: composer.json, composer.lock
Transitive dependencies: Yes
Reachability analysis: Yes

Infrastructure as Code (IaC)

PrismSec scans infrastructure definitions and configuration files across all languages:

| Format | Support | |--------|---------| | Terraform | ✅ Full (.tf, .tfvars, HCL) | | CloudFormation | ✅ Full (YAML, JSON) | | Kubernetes | ✅ Full (YAML manifests) | | Docker | ✅ Full (Dockerfile, docker-compose.yml) | | Ansible | ✅ Full (YAML playbooks) | | Pulumi | 🚧 Beta (TypeScript, Python, Go) | | NGINX | ✅ Full (nginx.conf) | | Apache | ✅ Full (httpd.conf, .htaccess) |

Framework-Specific Features

JavaScript / TypeScript

| Framework | SAST Support | Notes | |-----------|--------------|-------| | React | ✅ | DOM-based XSS, dangerouslySetInnerHTML checks | | Vue | ✅ | Template injection, v-html checks | | Angular | ✅ | Template injection, sanitization checks | | Next.js | ✅ | SSR-specific vulnerabilities (e.g., getServerSideProps leaks) | | Express | ✅ | Route parameter injection, middleware vulnerabilities |

Python

| Framework | SAST Support | Notes | |-----------|--------------|-------| | Django | ✅ | ORM injection, template injection, CSRF checks | | Flask | ✅ | Template injection (Jinja2), route parameter injection | | FastAPI | ✅ | Pydantic validation, async data flow |

Source code (all file types)
Configuration files (JSON, YAML, TOML, INI, XML, .env)
Shell scripts (Bash, Zsh, PowerShell)
Documentation (Markdown, plain text)
Commit history

Detected secret types include:

Cloud provider credentials (AWS, GCP, Azure)
API keys (Stripe, Twilio, SendGrid, GitHub, etc.)
Database connection strings
Private keys (SSH, PGP, SSL/TLS)
OAuth tokens
Generic high-entropy secrets

Adding New Languages

PrismSec is actively expanding language support. If your language isn't listed, you can:

Request support — Contact us at hello@prism-sec.com with your use case
Beta access — Join our beta program for early access to new language support
Community contributions — For open-source projects, contribute detection rules via GitHub

Next Steps

Learn about SAST: SAST
Explore dependency scanning: Dependencies (SCA)
Review FAQ: FAQ