Supported Languages and Frameworks
This page details which programming languages and frameworks are supported by each scanner in Mayo ASPM.
Scanner coverage matrix
| Language |
Grype (SCA) |
Trivy (SCA) |
Semgrep (SAST) |
Gitleaks (Secrets) |
| JavaScript |
Yes |
Yes |
Yes |
Yes |
| TypeScript |
Yes |
Yes |
Yes |
Yes |
| Python |
Yes |
Yes |
Yes |
Yes |
| Java |
Yes |
Yes |
Yes |
Yes |
| Kotlin |
Yes |
Yes |
Yes |
Yes |
| Go |
Yes |
Yes |
Yes |
Yes |
| Ruby |
Yes |
Yes |
Yes |
Yes |
| PHP |
Yes |
Yes |
Yes |
Yes |
| C# / .NET |
Yes |
Yes |
Yes |
Yes |
| Rust |
Yes |
Yes |
Moderate |
Yes |
| Swift |
Yes |
Yes |
Moderate |
Yes |
| Scala |
Yes |
Yes |
Moderate |
Yes |
| Elixir |
Yes |
Yes |
Basic |
Yes |
| Perl |
Partial |
Partial |
No |
Yes |
| C / C++ |
No |
Partial |
Basic |
Yes |
| Dart |
Partial |
Partial |
No |
Yes |
| R |
No |
No |
No |
Yes |
| Shell / Bash |
No |
No |
Basic |
Yes |
| HCL (Terraform) |
No |
Yes |
Yes |
Yes |
| YAML |
No |
No |
Basic |
Yes |
Gitleaks coverage
Gitleaks is language-agnostic — it scans all text files using regex patterns. The "Yes" for every language indicates it will search for secrets in any file type.
JavaScript / TypeScript
SCA (Grype, Trivy)
| Package manager |
Lock file |
Supported |
| npm |
package-lock.json |
Yes |
| yarn |
yarn.lock |
Yes |
| pnpm |
pnpm-lock.yaml |
Yes |
| Bun |
bun.lockb |
Partial |
SAST (Semgrep)
| Framework |
Rule coverage |
| Express.js |
Extensive (XSS, SSRF, SQLi, auth) |
| React |
Strong (XSS, dangerouslySetInnerHTML) |
| Next.js |
Strong (SSRF, auth, API routes) |
| Vue.js |
Moderate |
| Angular |
Moderate |
| Node.js core |
Extensive (path traversal, child_process) |
| Electron |
Moderate |
Secret patterns (Gitleaks)
- AWS access keys and secret keys
- npm tokens
- Firebase API keys
- Stripe keys
- JWT secrets in environment files
Python
SCA (Grype, Trivy)
| Package manager |
Lock file |
Supported |
| pip |
requirements.txt |
Yes |
| Poetry |
poetry.lock |
Yes |
| Pipenv |
Pipfile.lock |
Yes |
| Conda |
environment.yml |
Partial |
| PDM |
pdm.lock |
Yes |
SAST (Semgrep)
| Framework |
Rule coverage |
| Django |
Extensive (SQLi, XSS, CSRF, auth) |
| Flask |
Extensive (injection, SSRF) |
| FastAPI |
Strong |
| SQLAlchemy |
Strong (SQL injection) |
| Requests |
Strong (SSRF) |
| subprocess |
Extensive (command injection) |
| pickle |
Strong (deserialization) |
Java / Kotlin
SCA (Grype, Trivy)
| Build tool |
Lock file / manifest |
Supported |
| Maven |
pom.xml |
Yes |
| Gradle |
build.gradle, gradle.lockfile |
Yes |
| SBT (Scala) |
build.sbt |
Yes |
SAST (Semgrep)
| Framework |
Rule coverage |
| Spring / Spring Boot |
Extensive (SQLi, XSS, SSRF, auth, actuator) |
| Jakarta EE / Java EE |
Strong |
| MyBatis |
Strong (SQL injection) |
| Hibernate |
Moderate |
| Android SDK |
Strong (Kotlin and Java) |
Go
SCA (Grype, Trivy)
| Tool |
Manifest |
Supported |
| Go modules |
go.mod, go.sum |
Yes |
SAST (Semgrep)
| Framework / Library |
Rule coverage |
| net/http |
Strong (SSRF, path traversal) |
| Gin |
Moderate |
| Echo |
Moderate |
| GORM |
Moderate (SQL injection) |
| database/sql |
Strong (SQL injection) |
| os/exec |
Strong (command injection) |
| crypto |
Moderate (weak crypto) |
Ruby
SCA (Grype, Trivy)
| Tool |
Manifest |
Supported |
| Bundler |
Gemfile.lock |
Yes |
SAST (Semgrep)
| Framework |
Rule coverage |
| Ruby on Rails |
Extensive (SQLi, XSS, CSRF, mass assignment) |
| Sinatra |
Moderate |
| ActiveRecord |
Strong (SQL injection) |
PHP
SCA (Grype, Trivy)
| Tool |
Manifest |
Supported |
| Composer |
composer.lock |
Yes |
SAST (Semgrep)
| Framework |
Rule coverage |
| Laravel |
Strong (SQLi, XSS, auth) |
| Symfony |
Moderate |
| WordPress |
Moderate |
| Core PHP |
Strong (file inclusion, SQLi, XSS) |
C# / .NET
SCA (Grype, Trivy)
| Tool |
Manifest |
Supported |
| NuGet |
packages.lock.json, .csproj |
Yes |
| .NET CLI |
global.json |
Partial |
SAST (Semgrep)
| Framework |
Rule coverage |
| ASP.NET Core |
Strong (injection, auth) |
| Entity Framework |
Moderate (SQL injection) |
| .NET Standard |
Moderate |
Rust
SCA (Grype, Trivy)
| Tool |
Manifest |
Supported |
| Cargo |
Cargo.lock |
Yes |
SAST (Semgrep)
| Area |
Rule coverage |
| unsafe blocks |
Moderate |
| Web frameworks (Actix, Axum) |
Basic |
| Command execution |
Moderate |
Container and IaC (Trivy only)
| Technology |
Supported |
What it scans |
| Docker images |
Yes |
OS packages, application dependencies |
| Dockerfile |
Yes |
Misconfigurations (running as root, exposed ports) |
| Terraform |
Yes |
Cloud misconfigurations (AWS, GCP, Azure) |
| CloudFormation |
Yes |
AWS resource misconfigurations |
| Kubernetes YAML |
Yes |
Security contexts, network policies |
| Helm charts |
Yes |
Template rendering + scanning |
Adding language support
Mayo ASPM's scanner support evolves with the underlying scanner tools. Language support is updated automatically when scanner databases are refreshed.
If you need coverage for a language not listed here, contact support@mayoaspm.com.
Next steps