Supported tech

May 6, 2026 · View on GitHub

Canonical list of frameworks and ecosystems deepsec recognizes out of the box. Each entry tells you three things:

  1. How deepsec detects it — which sentinel files / lockfile shapes trigger the tech tag. See packages/scanner/src/detect-tech.ts.
  2. What it scans for — the matcher slugs that activate when the tech is detected. Matchers without a tech gate run on every repo.
  3. What the prompt knows about — the per-tech "threat highlights" block that gets injected when the tech is detected. See packages/processor/src/prompt/highlights.ts.

Detection happens once per scan, with results persisted to data/<projectId>/tech.json. Matcher gates and prompt highlights share that single signal.

Plugin authors: before adding a matcher for a framework already on this list, check whether you can extend the existing matcher instead. If your framework is missing, add a detector entry + matcher + prompt highlight together in one PR.

TypeScript / JavaScript (Node, Bun, Deno, Workers)

Next.js (nextjs)

  • Sentinel detection: package.json depends on next; or next.config.{js,ts,mjs} is present.
  • Matchers: all-route-handlers, all-server-actions, nextjs-middleware, nextjs-middleware-only-auth, framework-server-action, framework-untrusted-fetch, framework-internal-header, framework-image-optimizer, framework-edge-sandbox, page-data-fetch, page-without-auth-fetch, use-server-export, unsafe-json-in-html.
  • Prompt highlights: middleware.ts is not sufficient auth, Server Actions are public POSTs, JSON-in-script XSS, search-param trust, cache-tag cross-tenant leaks.

React (react)

  • Sentinel detection: react or react-dom in package.json.
  • Matchers: dangerous-html, xss, postmessage-origin.
  • Prompt highlights: dangerouslySetInnerHTML with DB-stored HTML, ref/effect-driven open redirects, JSON-in-script escapes.

Express (express)

  • Sentinel detection: express in package.json.
  • Matchers: js-express-route (gated), plus all generic JS matchers.
  • Prompt highlights: route-vs-middleware ordering, req.* injection surfaces, express.static traversal, error-leak responses, CORS reflect.

Fastify (fastify)

  • Sentinel detection: fastify in package.json.
  • Matchers: js-fastify-route (gated).
  • Prompt highlights: preHandler/onRequest auth, schema validation as the FP mitigation, plugin scope inheritance.

NestJS (nestjs)

  • Sentinel detection: any @nestjs/* package in package.json.
  • Matchers: js-nestjs-controller (gated).
  • Prompt highlights: missing @UseGuards, untyped @Body(), @Public() opt-outs of global auth.

Hono (hono)

  • Sentinel detection: hono in package.json.
  • Matchers: js-hono-route (gated).
  • Prompt highlights: middleware-before-routes ordering, c.req.* trust, edge-runtime trust boundary to backend.

Other JS detected (no dedicated matcher yet)

koa, hapi, remix, sveltekit, nuxt, astro, solidstart, trpc, mcp, connectrpc, graphql, socketio, bullmq, drizzle, prisma, bun, deno, workers. The generic JS/TS matchers (all-route-handlers, cors-wildcard, secret-env-var, etc.) still run.

Python

Django / DRF (django, djangorestframework)

  • Sentinel detection: manage.py, Django in requirements.txt/pyproject.toml/setup.py.
  • Matchers: py-django-view (gated).
  • Prompt highlights: @csrf_exempt on writes, raw SQL via f-strings, mark_safe, ModelForm mass assignment, DEBUG/ALLOWED_HOSTS leaks, DRF permission_classes gaps.

FastAPI (fastapi)

  • Sentinel detection: fastapi in deps.
  • Matchers: py-fastapi-route (gated).
  • Prompt highlights: missing Depends(...) auth, Optional[Any] escape hatches, missing response_model, StaticFiles traversal.

Flask (flask)

  • Sentinel detection: flask in deps.
  • Matchers: py-flask-route (gated).
  • Prompt highlights: @login_required decorator order, SSTI via render_template_string, raw SQL via db.engine.execute(f"..."), send_from_directory traversal, hardcoded secret_key.

Other Python detected

starlette, aiohttp, tornado, sanic, bottle, falcon, celery, airflow. Detection runs; dedicated matchers are roadmap.

PHP

Laravel (laravel)

  • Sentinel detection: composer.json depends on laravel/*, or artisan script present.
  • Matchers: php-laravel-route (gated).
  • Prompt highlights: mass assignment via $request->all(), DB::raw/whereRaw SQL injection, VerifyCsrfToken::$except gaps, Blade {!! !!} XSS, routes outside the auth middleware group.

Other PHP detected

symfony, slim, yii, cakephp, codeigniter, wordpress, drupal, magento. Roadmap.

Ruby

Rails (rails)

  • Sentinel detection: Gemfile mentions rails, or config/routes.rb / bin/rails exist.
  • Matchers: rb-rails-controller (gated).
  • Prompt highlights: skip_before_action :authenticate_user!, strong-params bypasses, raw/html_safe XSS, raw SQL, open redirect.

Other Ruby detected

sinatra, grape, hanami, roda. Roadmap.

Go

Gin (gin)

  • Sentinel detection: go.mod requires github.com/gin-gonic/gin.
  • Matchers: go-gin-route (gated).
  • Prompt highlights: route-vs-middleware ordering, c.Query/c.Param trust, template auto-escaping vs safehtml.

Echo (echo)

  • Sentinel detection: go.mod requires github.com/labstack/echo.
  • Matchers: go-echo-route (gated).
  • Prompt highlights: e.Use order, c.Bind allowlists, group-level middleware scope.

Fiber (fiber)

  • Sentinel detection: go.mod requires github.com/gofiber/fiber.
  • Matchers: go-fiber-route (gated).
  • Prompt highlights: middleware order, fasthttp body lifetime gotcha.

Chi (chi)

  • Sentinel detection: go.mod requires github.com/go-chi/chi.
  • Matchers: go-chi-route (gated).
  • Prompt highlights: r.Mount middleware inheritance gotcha, chi.URLParam trust, response-shape leakage.

Generic Go (go)

Always-on Go matchers regardless of framework: go-http-handler, go-ssrf, go-command-injection, go-embed-asset, connectrpc-handler-impl, proto-rpc-surface, unix-socket-listener.

Other Go detected

gorilla, buffalo, grpc, connectrpc, cobra. Roadmap for dedicated matchers (gRPC service impl already partially covered).

Rust

Detection emits tags (actix, axum, rocket, warp, tide, poem, tonic, lambda-rs) but dedicated matchers are roadmap.

JVM (Java / Kotlin)

Detection emits jvm, plus spring, ktor, micronaut, jaxrs when present. Matchers are roadmap.

.NET

Detection emits dotnet when a .csproj or global.json is present. Matchers are roadmap.

Cross-cutting infra (always-on)

Tags docker, terraform, github-actions are emitted but don't gate matchers — the existing IaC and Dockerfile matchers (e.g. tf-iam-wildcard, dockerfile-from-mutable-tag, github-workflow-security) run unconditionally.

Adding a new ecosystem

Three pieces, in one PR:

  1. Detector — add a branch in packages/scanner/src/detect-tech.ts that emits the tag from a sentinel file or dependency.
  2. Matcher — under packages/scanner/src/matchers/<slug>.ts, with requires: { tech: ["<tag>"] } so it only runs when detected. Register it in packages/scanner/src/matchers/index.ts.
  3. Prompt highlight — add an entry to packages/processor/src/prompt/highlights.ts (3–6 short bullet lines). Don't write tutorials — the model knows the framework.

Tests:

  • A detect-tech.test.ts case with a small fixture for the new tag.
  • A matcher unit test in framework-matchers.test.ts (or sibling) with a known-vulnerable input that produces matches and a known-safe input that doesn't.
  • The existing prompt-assemble.test.ts enforces a soft size cap on highlights — keep yours short.