| title | Supported tech |
|---|---|
| description | The frameworks, languages, infrastructure files, and prompt highlights deepsec recognizes out of the box. |
Canonical list of frameworks and ecosystems deepsec recognizes out of the box. Each entry tells you three things:
- How deepsec detects it — which sentinel files / lockfile shapes
trigger the tech tag. See
packages/scanner/src/detect-tech.ts. - What it scans for — the matcher slugs that activate when the tech is detected. Matchers without a tech gate run on every repo.
- What the prompt knows about — the per-tech "threat highlights"
block that gets injected when the tech is detected. See
packages/processor/src/prompt/highlights.ts.
Detection happens once per scan, with results persisted to
data/<projectId>/tech.json. Matcher gates and prompt highlights share
that single signal.
Plugin authors: before adding a matcher for a framework already on this list, check whether you can extend the existing matcher instead. If your framework is missing, add a detector entry + matcher + prompt highlight together in one PR.
- Sentinel detection:
package.jsondepends onnext; ornext.config.{js,ts,mjs}is present. - Matchers:
all-route-handlers,all-server-actions,nextjs-middleware,nextjs-middleware-only-auth,framework-server-action,framework-untrusted-fetch,framework-internal-header,framework-image-optimizer,framework-edge-sandbox,page-data-fetch,page-without-auth-fetch,use-server-export,unsafe-json-in-html. - Prompt highlights: middleware.ts is not sufficient auth, Server Actions are public POSTs, JSON-in-script XSS, search-param trust, cache-tag cross-tenant leaks.
- Sentinel detection:
reactorreact-dominpackage.json. - Matchers:
dangerous-html,xss,postmessage-origin. - Prompt highlights:
dangerouslySetInnerHTMLwith DB-stored HTML, ref/effect-driven open redirects, JSON-in-script escapes.
- Sentinel detection:
expressinpackage.json. - Matchers:
js-express-route(gated), plus all generic JS matchers. - Prompt highlights: route-vs-middleware ordering,
req.*injection surfaces,express.statictraversal, error-leak responses, CORS reflect.
- Sentinel detection:
fastifyinpackage.json. - Matchers:
js-fastify-route(gated). - Prompt highlights:
preHandler/onRequestauth, schema validation as the FP mitigation, plugin scope inheritance.
- Sentinel detection: any
@nestjs/*package inpackage.json. - Matchers:
js-nestjs-controller(gated). - Prompt highlights: missing
@UseGuards, untyped@Body(),@Public()opt-outs of global auth.
- Sentinel detection:
honoinpackage.json. - Matchers:
js-hono-route(gated). - Prompt highlights: middleware-before-routes ordering,
c.req.*trust, edge-runtime trust boundary to backend.
koa, hapi, remix, sveltekit, nuxt, astro, solidstart,
trpc, mcp, connectrpc, graphql, socketio, bullmq, drizzle,
prisma, bun, deno, workers. The generic JS/TS matchers
(all-route-handlers, cors-wildcard, secret-env-var, etc.) still run.
- Sentinel detection:
manage.py,Djangoinrequirements.txt/pyproject.toml/setup.py. - Matchers:
py-django-view(gated). - Prompt highlights:
@csrf_exempton writes, raw SQL via f-strings,mark_safe,ModelFormmass assignment, DEBUG/ALLOWED_HOSTS leaks, DRFpermission_classesgaps.
- Sentinel detection:
fastapiin deps. - Matchers:
py-fastapi-route(gated). - Prompt highlights: missing
Depends(...)auth,Optional[Any]escape hatches, missingresponse_model,StaticFilestraversal.
- Sentinel detection:
flaskin deps. - Matchers:
py-flask-route(gated). - Prompt highlights:
@login_requireddecorator order, SSTI viarender_template_string, raw SQL viadb.engine.execute(f"..."),send_from_directorytraversal, hardcodedsecret_key.
starlette, aiohttp, tornado, sanic, bottle, falcon,
celery, airflow. Detection runs; dedicated matchers are roadmap.
- Sentinel detection:
composer.jsondepends onlaravel/*, orartisanscript present. - Matchers:
php-laravel-route(gated). - Prompt highlights: mass assignment via
$request->all(),DB::raw/whereRawSQL injection,VerifyCsrfToken::$exceptgaps, Blade{!! !!}XSS, routes outside theauthmiddleware group.
symfony, slim, yii, cakephp, codeigniter, wordpress,
drupal, magento. Roadmap.
- Sentinel detection:
Gemfilementionsrails, orconfig/routes.rb/bin/railsexist. - Matchers:
rb-rails-controller(gated). - Prompt highlights:
skip_before_action :authenticate_user!, strong-params bypasses,raw/html_safeXSS, raw SQL, open redirect.
sinatra, grape, hanami, roda. Roadmap.
- Sentinel detection:
go.modrequiresgithub.com/gin-gonic/gin. - Matchers:
go-gin-route(gated). - Prompt highlights: route-vs-middleware ordering,
c.Query/c.Paramtrust, template auto-escaping vssafehtml.
- Sentinel detection:
go.modrequiresgithub.com/labstack/echo. - Matchers:
go-echo-route(gated). - Prompt highlights:
e.Useorder,c.Bindallowlists, group-level middleware scope.
- Sentinel detection:
go.modrequiresgithub.com/gofiber/fiber. - Matchers:
go-fiber-route(gated). - Prompt highlights: middleware order, fasthttp body lifetime gotcha.
- Sentinel detection:
go.modrequiresgithub.com/go-chi/chi. - Matchers:
go-chi-route(gated). - Prompt highlights:
r.Mountmiddleware inheritance gotcha,chi.URLParamtrust, response-shape leakage.
Always-on Go matchers regardless of framework: go-http-handler,
go-ssrf, go-command-injection, go-embed-asset,
connectrpc-handler-impl, proto-rpc-surface, unix-socket-listener.
gorilla, buffalo, grpc, connectrpc, cobra. Roadmap for
dedicated matchers (gRPC service impl already partially covered).
Detection emits tags (actix, axum, rocket, warp, tide, poem,
tonic, lambda-rs) but dedicated matchers are roadmap.
Detection emits jvm, plus spring, ktor, micronaut, jaxrs when
present. Matchers are roadmap.
Detection emits dotnet when a .csproj or global.json is present.
Matchers are roadmap.
Tags docker, terraform, github-actions are emitted but don't gate
matchers — the existing IaC and Dockerfile matchers (e.g.
tf-iam-wildcard, dockerfile-from-mutable-tag,
github-workflow-security) run unconditionally.
Three pieces, in one PR:
- Detector — add a branch in
packages/scanner/src/detect-tech.tsthat emits the tag from a sentinel file or dependency. - Matcher — under
packages/scanner/src/matchers/<slug>.ts, withrequires: { tech: ["<tag>"] }so it only runs when detected. Register it inpackages/scanner/src/matchers/index.ts. - Prompt highlight — add an entry to
packages/processor/src/prompt/highlights.ts(3–6 short bullet lines). Don't write tutorials — the model knows the framework.
Tests:
- A
detect-tech.test.tscase with a small fixture for the new tag. - A matcher unit test in
framework-matchers.test.ts(or sibling) with a known-vulnerable input that produces matches and a known-safe input that doesn't. - The existing
prompt-assemble.test.tsenforces a soft size cap on highlights — keep yours short.