Argument flow analyzer - traces where function arguments come from across multi-language codebases. It identifies API calls matching configurable presets and resolves parameter values through static analysis.
cargo build --releaseThe binary will be at target/release/argflow.
Analyze a single file with the crypto preset:
argflow --preset crypto --path path/to/file.go --language goAnalyze a directory:
argflow --preset crypto --path path/to/project --language goArgflow uses presets to define which APIs to analyze. The crypto preset is bundled and used by default.
# Use bundled crypto preset (default)
argflow --path ./project --language go
# Explicitly specify preset
argflow --preset crypto --path ./project --language go
# Use custom rules file
argflow --rules ./my-rules.json --path ./project --language go--path <PATH>- Path to file or directory to analyze (required)--preset <PRESET>- Preset to use (e.g., crypto). Can be specified multiple times.--rules <FILE>- Custom rules file (JSON format)--language <LANGUAGE>- Language (go, python, rust, javascript, typescript). Auto-detected for single files.--include-deps- Include dependencies (vendor/, node_modules/, etc.)-O, --output-file <FILE>- Output file path (prints to stdout if not specified)-f, --format <FORMAT>- Output format: json or cbom (default: json)-v, --verbose- Increase verbosity (-v info, -vv debug, -vvv trace)-q, --quiet- Suppress all output except errors
Analyze a Go project with dependencies:
argflow --preset crypto --path ./my-project --language go --include-depsAnalyze a Python file:
argflow --preset crypto --path src/crypto.py --language pythonSave output to file:
argflow --preset crypto --path ./project --language go -O findings.jsonThe tool outputs JSON with the following structure:
{
"files_scanned": 217,
"total_calls": 518,
"total_configs": 36,
"findings": [
{
"file": "/path/to/file.go",
"line": 11,
"column": 10,
"function": "Sum",
"package": "md5",
"import_path": "crypto/md5",
"full_name": "md5.Sum",
"algorithm": "MD5",
"finding_type": "hash",
"operation": "hash",
"primitive": "hash",
"parameters": {
"data": {
"value": null,
"source": "function_parameter"
}
},
"raw_text": "md5.Sum([]byte(infraID))"
}
],
"configs": [
{
"file": "/path/to/config.go",
"line": 42,
"column": 5,
"struct_type": "TLSConfig",
"full_type": "crypto/tls.Config",
"package": "tls",
"import_path": "crypto/tls",
"fields": {
"MinVersion": 771
},
"raw_text": "&tls.Config{MinVersion: tls.VersionTLS12}"
}
]
}files_scanned- Number of files analyzedtotal_calls- Total API calls found matching the presettotal_configs- Total configuration structs foundfindings- Array of API call findingsconfigs- Array of configuration struct findings
Parameters can be:
- Resolved: Direct value extracted (e.g.,
2048,"SHA-256") - Partial: Expression extracted (e.g.,
"BASE + 1000"withsource: "partial_expression") - Unresolved: Source identified but value unknown (e.g.,
source: "function_parameter")
- Go
- Python
- Rust
- JavaScript/TypeScript
Argflow uses Tree-sitter to parse source code into ASTs, then applies resolution strategies to trace argument values:
- Literal values - Direct constants
- Variable resolution - Finds variable declarations and constants
- Function calls - Traces return values
- Binary expressions - Evaluates arithmetic operations
- Field access - Resolves struct/object fields
- Array/index access - Resolves array and map lookups
The tool uses preset-defined API mappings to identify which function calls to analyze and how to classify them.
See presets/README.md for information on bundled presets and creating custom presets.
| Preset | Description |
|---|---|
crypto |
Cryptographic APIs - key derivation, encryption, hashing, signing |
MIT