Supported Languages
Programming languages and frameworks supported by Secbez — graph indexing, dataflow, and framework support per language.
Secbez analyzes every supported language through our graph engine. The engine parses source, extracts the symbol and call structure, and (for the languages where it's enabled) computes dataflow — sources, sinks, sanitizers, and propagation — across files.
Language matrix
| Language | Extensions | Graph indexing | Dataflow | Notable framework support |
|---|---|---|---|---|
| JavaScript | .js, .jsx, .mjs, .cjs | Full | Full | Express, Koa, Fastify, Next.js, Remix, Hono |
| TypeScript | .ts, .tsx | Full | Full | Express, Next.js, NestJS, tRPC, Remix, Hono, Fastify |
| Rust | .rs | Full | Full | Axum, Actix |
| Python | .py | Full | On Enterprise tier | Django, Flask, FastAPI, Starlette |
| Go | .go | Full | On Enterprise tier | net/http, Gin, Echo, Fiber |
| Java | .java | Full | On Enterprise tier | Spring, Spring Boot |
| C# | .cs | Full | On Enterprise tier | ASP.NET Core |
| Kotlin | .kt, .kts | Full | On Enterprise tier | Spring (Kotlin), Ktor |
| C / C++ | .c, .cpp, .h, .hpp | Full | On Enterprise tier | — |
| PHP | .php | Full | On Enterprise tier | Laravel, Symfony |
| Ruby | .rb | Full | On Enterprise tier | Rails, Sinatra |
| Swift | .swift | Full | On Enterprise tier | Vapor |
"Full graph indexing" means functions, calls, references, imports, and route mounts are extracted into the per-snapshot graph and used for cross-file evidence. Dataflow — source-to-sink propagation across symbols and files — currently ships for JavaScript, TypeScript, and Rust. Dataflow for any other language is available on the Enterprise tier on request; it's a matter of scoping the work, not a hard limitation.
Don't see your framework or language?
If your stack — language version, framework, ORM, auth library, queue, or in-house platform — isn't fully covered here, contact us. Enterprise customers get bespoke coverage built for their environment: dataflow for the languages they need, framework hints, custom detectors. Reach out via your account contact or enterprise@secbez.com.
Scanning scope
- All supported file types found in the repository are scanned. Non-code files (images, binaries, lockfiles, generated artifacts) are skipped.
- Files in
__tests__/,*.test.*,*.spec.*, and/tests/directories are scanned, but findings in test code are tagged separately and don't gate by default. - Vendored / third-party directories (
vendor/,node_modules/,dist/,build/) are excluded from active scanning. Path includes/excludes can be customized per repository.