A technical deep-dive into our proof-first analysis pipeline: deterministic taint tracking, CFG-based guard verification and an AI-assisted layer that's proof-gated. Discover why we find vulnerabilities that other scanners miss.
Unlike traditional scanners that rely on regex patterns, TraceMint uses a multi-stage pipeline that combines static analysis with semantic understanding. Each stage progressively refines candidates from thousands of pattern matches down to verified vulnerabilities.
AST extraction via tree-sitter across 30+ languages
source → AST → symbol table
Pattern + Taint + Route generators produce candidates
1800+ patterns × taint flows
Category-specific verifiers check guards & sanitizers
guard dominance + binding proof
Evidence-backed findings with proof chains
VULN | NEEDS_REVIEW | SAFE
We use tree-sitter for high-fidelity AST extraction, enabling precise semantic analysis across 30+ programming languages. Each language has a dedicated taint engine that understands framework-specific idioms.
# Source Code (PHP - Laravel)
public function show(Request $request) {
$orderId = $request->input('order_id');
$order = Order::find($orderId);
return response()->json($order);
}
# Extracted AST with Taint Labels
FunctionDecl: show
└─ Parameter: $request [TAINT_SOURCE: HTTP_REQUEST]
Assignment: $orderId
└─ MethodCall: $request->input('order_id')
└─ [USER_CONTROLLED: query_param]
MethodCall: Order::find($orderId)
└─ Argument: $orderId [TAINT_SINK: DB_LOOKUP]
└─ [POTENTIAL_IDOR: No ownership check before sink]
Return: response()->json($order)
└─ [DATA_EXPOSURE: Full object returned]Before analysis begins, we build a complete map of your application's structure.
GET /api/orders/{id} → OrderController@show
POST /api/orders → OrderController@store
GET /api/users/{id} → UserController@show
PUT /api/users/{id} → UserController@update
DELETE /api/admin/users → AdminController@deleteOrderController@show
├─→ OrderService::getOrder()
│ └─→ Order::find() [SINK]
└─→ response()->json()
UserController@update
├─→ $this->authorize() [GUARD]
└─→ User::update()Classes: 127
Functions: 843
Routes: 47
Middlewares: 12
Models: 23
─────────────────
Taint Sources: 89
Potential Sinks: 156Our interprocedural analysis follows data flow across function boundaries, classes, and even different files to find vulnerabilities that traditional scanners miss. We track taint through 3+ levels of function calls.
Route::get('/order/{id}', [OrderController::class, 'show']);public function show($id) {
return $this->orderService->getOrder($id);
}public function getOrder($orderId) {
return Order::find($orderId); // IDOR: No ownership check!
}Watch how tainted data flows through your application architecture.
Tracks taint through function calls with configurable depth (default: 3 levels). Creates function summaries for reuse.
Resolves imports, inheritance, and namespace across entire codebase. Handles dependency injection patterns.
Tracks taint in object fields independently: $user->id vs $user->name
Finding a guard isn't enough. We verify that the guard actually protects the vulnerable sink through Control Flow Graph (CFG) dominance analysis. A guard must dominate the sink path to be effective.
User authentication
Auth::check(), isLoggedIn()
Object-level authorization
$this->authorize(), Gate::allows()
Resource ownership binding
$order->user_id == Auth::id()
Input sanitization
filter_var(), is_numeric(), htmlspecialchars()
A guard must dominate the sink in the control flow graph. We verify guards don't have bypass patterns.
if ($isAdmin) {
log("admin access");
}
// Guard in different branch!
// Sink is NOT protected
$order = Order::find($id);
return $order;$order = Order::find($id);
if ($order->user_id != Auth::id()) {
abort(403); // Throws exception
}
// Guard dominates return
return $order;We don't reduce false positives with filters. We reduce them with proof obligations. Every finding must satisfy a formal obligation checklist before getting a verdict.
Resource primitive detected (fetch/update/delete via ORM, raw query, file op)
ID parameter bound to authorization context (user_id, tenant_id, session)
Guard dominates sink in CFG (no bypass path exists)
Security-relevant impact (data exposure, state mutation, privilege escalation)
VULN = ACCESS ∧ ¬BINDING ∧ ¬DOMINANCE ∧ EFFECT
All obligations must be proven or disproven. Uncertainty → NEEDS_REVIEW
Our multi-stage filtering system eliminates false positives while preserving real vulnerabilities. Each stage applies progressively more sophisticated analysis to reduce noise.
We don't claim arbitrary FP reduction numbers. Instead, every finding gets a clear verdict level based on proof obligations:
Our local 32B parameter model accelerates analysis, but never makes final decisions alone. Every AI suggestion must pass through our deterministic proof kernel before becoming a verdict. The AI assists — the proof engine decides.
Fine-tuned in-house on curated vulnerability data for localization and ranking. No external LLM API calls.
Understands what code does, not just what it looks like. Recognizes custom validators, business logic guards, and framework idioms that pattern matching cannot identify.
Analyzes surrounding code context to determine if a pattern is actually vulnerable or if there's implicit protection. Understands auth middleware, role checks, and ownership patterns.
The model is continuously updated with new vulnerability patterns from our ongoing security research. Every CVE we discover improves detection for the next scan.
PoC is generated automatically and replayed in a local Docker lab if available. No more spending hours crafting exploit payloads. TraceMint generates them based on the detected vulnerability pattern and your application's API structure.
42 $orderId = $request->input('order_id');
43
44 // Missing: ownership check!
45 // Should be: if ($order->user_id != Auth::id())
46
47 $order = Order::find($orderId);
48 return response()->json($order);Resource primitive detected: Order::find() performs database lookup via Eloquent ORM.
No binding found between $orderId and authenticated user context (Auth::id()).
No guard dominates the sink. Auth middleware exists but doesn't check resource ownership.
DATA_EXPOSURE: Full order object returned including PII fields.
Copy-paste ready PoC commands. Test vulnerabilities immediately without manual payload crafting.
PoCs are generated based on your app's actual routes, parameters, and authentication mechanisms.
Every finding includes full taint chain, guard analysis, and reproduction steps for security reports.
If docker-compose or Dockerfile exists in the repo, PoC runs automatically in an isolated lab and marks the finding as Verified.
"We don't just flag. We prove — and if Docker is available, we reproduce locally."
TraceMint has been battle-tested against 30+ open-source projects, discovering and responsibly disclosing critical vulnerabilities. These are real CVEs, not synthetic benchmarks.
TraceMint's modular architecture lets you add new languages, frameworks, and detection rules without modifying core analysis logic.
Define new vulnerability patterns in YAML. Specify sources, sinks, sanitizers, and proof requirements.
rules/custom/my_pattern.yaml
Add framework adapters that teach TraceMint about routes, middleware, and built-in protections.
adapters/my_framework.py
Implement a tree-sitter-based parser and taint engine. The core analysis remains unchanged.
engines/my_lang_taint.py
Export findings in any format. Built-in support for SARIF, but easily extensible to JIRA, Slack, etc.
reporters/my_output.py
Competitors promise "AI agents" and "zero false positives." We deliver something more defensible: a system you can verify, trust, and deploy on your terms — self-hosted or managed SaaS.
Your code, your deployment choice
Every finding ships with evidence
We eliminate FPs—not you
Fast for CI, Deep for audits
"Found User::find($id) - possible IDOR"
You investigate. You write the PoC. You decide if it's real.IDOR: User::find() at line 47
✗ BINDING: No ownership check against Auth::id()
✗ DOMINANCE: Guard at line 12 doesn't protect sink
→ EFFECT: DATA_EXPOSURE (email, address, phone)
Start scanning with TraceMint today. See the difference semantic analysis makes.