This library analyzes source code and produces reports that may contain architecture details, method names, file paths, and source snippets. Treat every generated report as internal engineering data.
redactSecrets: trueexposeSourceSnippets: falseexposeAbsolutePaths: falseallowSourceIncludesOutsideProject: falseapiAllowOrigin: ""apiRequireToken: false
These defaults mean reports keep useful findings while reducing accidental exposure. Teams can enable snippets for trusted local debugging:
exposeSourceSnippets: trueThe API server binds only to 127.0.0.1. It does not send Access-Control-Allow-Origin: *. If another local UI must call it, configure a single exact origin:
apiAllowOrigin: "http://127.0.0.1:3000"Protect full report APIs in enterprise use:
apiRequireToken: true
apiAuthToken: "replace-with-a-secret-from-your-secret-manager"Then call:
curl -H "Authorization: Bearer replace-with-a-secret-from-your-secret-manager" \
http://127.0.0.1:8765/api/reportToken-protected endpoints:
/api/report/api/findings
The dashboard, summary, analytics, MCP status, and health endpoints are designed for local developer viewing and lightweight integrations.
The sanitizer redacts common secret shapes:
- private key blocks
- AWS access keys
- GitHub and Slack tokens
- JWTs
- bearer/basic auth headers
- URLs containing credentials
- assignments such as
password=,apiKey=,secret=, andaccessToken=
The sanitizer is intentionally conservative and should be backed by your normal secret-scanning tooling in CI.
Current direct dependencies were updated during the hardening pass:
com.github.javaparser:javaparser-coreto3.28.0com.fasterxml.jackson:*to2.21.3info.picocli:picoclito4.7.7
The Jackson update matters because GitHub Advisory Database entry GHSA-72hv-8253-57qq lists older jackson-core ranges as affected by a non-blocking parser DoS issue, with patched 2.x versions at 2.18.6 and 2.21.1. This project now uses 2.21.3.
Run dependency scanning before release:
mvn test
mvn org.owasp:dependency-check-maven:checkAlso enable Dependabot/Renovate or your enterprise SCA scanner for the Maven project.
By default, sourceIncludes entries outside the selected project root are skipped. This prevents a project-local config from accidentally scanning another local repository or sensitive directory.
Generated folders are ignored during Java scanning:
targetbuild.git.gradlenode_modules
Analyze Flow is not a full security scanner. It does not replace SAST, DAST, dependency scanning, SBOM generation, secret scanning, or code review. It is a performance and architecture analyzer with safe report handling.