PhantomYerra is a pure-Python static analysis engine that ships 24,476 detection rules across 16 languages - and exceeds the documented rule count of every commercial peer it is benchmarked against, language by language.
re.findall on the
scanner files - not estimated, not aspirational.Each engine's rule count next to the deduped sum of the commercial tools that cover that language. The ratio is how far PhantomYerra exceeds that peer total.
| Language | PhantomYerra rules | Commercial peers (deduped) | Ratio |
|---|---|---|---|
| C | 5,752 | Coverity + Cppcheck + Flawfinder (~4,150) | 1.39× |
| C++ | 4,566 | Coverity + clang-tidy CppCoreGuidelines + Cppcheck (~2,250) | 2.03× |
| Java | 2,164 | SpotBugs + FindSecBugs + PMD + ErrorProne + SonarJava + CodeQL (~2,000) | 1.08× |
| JavaScript / TypeScript | 1,667 | ESLint-security + Semgrep + njsscan + CodeQL (~1,500) | 1.11× |
| PHP | 1,604 | PHPStan + Psalm + RIPS + PHPMD + Exakat + Phan (~1,520) | 1.06× |
| Rust | 1,439 | Clippy + cargo-audit + clippy-pedantic (~700) | 2.06× |
| Go | 1,027 | gosec + staticcheck + revive + go-critic (~420) | 2.45× |
| Swift | 950 | SwiftLint + Periphery + SonarSwift (~500) | 1.90× |
| .NET / C# | 932 | SonarC# + SecurityCodeScan + Roslyn-sec (~550) | 1.69× |
| Ruby | 871 | Brakeman + RuboCop-sec + dawnscanner + SonarRuby (~570) | 1.53× |
| Kotlin | 870 | Detekt + SpotBugs-Kotlin + SonarKotlin (~490) | 1.78× |
| Python | 743 | Bandit + Semgrep + pyre + ruff-sec (~475) | 1.56× |
| Scala | 655 | Scapegoat + WartRemover + SonarScala (~350) | 1.87× |
| Dart | 556 | Dart lints + pana + dart_code_metrics (~250) | 2.22× |
| Native total (13 deep engines) | 23,796 | deduped commercial peer sum ~15,000 | 1.59× |
No commercial scanner ships a unified AI-security rule pack at this breadth. 680 cross-language rules in seven packs, plus 1,090 framework-native rules across 13 languages.
120 rules
Placeholder secrets, AI-tell comments, hallucinated imports, "Generated by ChatGPT/Copilot/Claude/Cursor" markers.
120 rules
OpenAI sk-proj-, Anthropic sk-ant-, Google AIza, plus 15+ provider key formats.
100 rules
User input → LLM, LLM output → eval/exec/innerHTML/subprocess, LangChain REPL/Shell tools.
90 rules
torch.load without weights_only, untrusted pickle.load, trust_remote_code=True, ONNX/TF/Diffusers.
80 rules
Chroma/Pinecone/Weaviate/Qdrant/Milvus default auth, pgvector RLS, RAG indirect injection.
90 rules
MCP tools without scope, missing iteration caps, exposed Shell/REPL, Streamlit/Gradio share=True.
80 rules
PII in prompt logs, non-zero-retention providers, real customer data in few-shot, missing audit logs.
1,090 rules
Spring AI, LangChain(.js/4j/rs/go/dart), Vercel AI SDK, Semantic Kernel, llama.cpp, MLX, candle & more - across 13 languages.
Each rule carries its CWE plus the coding-standard IDs it satisfies, so findings roll up into compliance evidence automatically - and you can export a one-click regulatory compliance report per scan, including an EU Cyber Resilience Act (CRA) report mapping findings to Annex I Part I (essential requirements) and Part II (vulnerability handling). Required for products placed on the EU market this year.
Beyond pattern rules, PhantomYerra adds abstract-interpretation domains, cross-TU taint, and FP-calibrated confidence so the high rule counts stay precise.
Buffer overrun/underrun, use-after-free, double-free, null-pointer dereference, uninitialized reads.
SQLi, command, format-string, path traversal, SSRF, XXE, deserialization - with source→sink line traces.
Data races, lock-order/deadlock, TOCTOU, atomicity violations.
Overflow/wraparound, signedness, shift UB, implementation-defined behavior.
Weak ciphers, broken random, hardcoded credentials, key leakage (incl. 15+ LLM key formats).
Interval, nullness, resource & taint lattices on high-value rules - FP-gated against Juliet + OWASP Benchmark.
Detailed, side-by-side comparisons against the tools teams benchmark SAST against.