Lintel
Book a demo

Product

One engine. Every language. All the packs.

Lintel is built on a multi-language AST core with a plugin architecture for rule packs and a pluggable provider interface for AI triage. Everything runs from a single binary or a single container โ€” your choice.

Core capabilities

Built for production, not demos.

Multi-language AST core

Tree-sitter parsers for 13+ languages. libclang for deep C/C++ semantic analysis.

Plugin architecture

Rule packs are JSON plus optional code. Sign them, version them, distribute them.

Data-flow & taint

Inter-procedural taint tracking for injection, SSRF, path traversal, and command exec.

Content-addressed cache

Scan only what changed. Hash-keyed AST cache keeps incremental scans sub-second.

SARIF 2.1.0 output

First-class SARIF for GitHub code scanning, Azure DevOps, GitLab, and any SARIF consumer.

Signed rule packs

Ed25519 signatures on every pack. Only trusted rulesets run in production.

Signed licenses

License blobs are cryptographically bound to your tenant. No phone-home activation.

Encrypted secrets

AES-256-GCM encryption of API keys at rest. Auto-generated key, or bring your own.

Full audit log

Every scan, triage action, license change, and config update is recorded and exportable.

Languages

Every ecosystem your team ships to.

Lintel ships with production-grade analyzers for the languages that actually make it into binaries.

CC++C#PythonJavaScriptTypeScriptGoJavaRustKotlinSwiftRubyPHP

Missing something? Tell us โ€” the plugin SDK makes adding a new language straightforward.

Security packs

Curated, maintained, and versioned.

We don't scrape rules from public repos. Every pack is reviewed, false-positive-tested, and updated on a monthly cadence.

OWASP Top 10

Injection, auth, deserialization, SSRF, cryptographic failures.

CWE Top 25

The most dangerous software weaknesses, mapped to live rules.

Secrets & credentials

API keys, private keys, tokens, cloud credentials in code and config.

Crypto mistakes

Weak algorithms, hardcoded IVs, RNG misuse, broken TLS validation.

MISRA-CPP 2008

Safety-critical C++ rule coverage for automotive, medical, and aerospace codebases.

Framework-specific

Django, Flask, FastAPI, Express, Rails, Spring, .NET Core.

AI providers

Bring your own brain.

Lintel never forces you to route findings through a specific vendor. Pick the provider that matches your compliance posture.

OpenAI

GPT-4o, GPT-4-turbo. Best general reasoning for fix suggestions.

Anthropic

Claude Opus, Sonnet, Haiku. Long-context explanations of data-flow findings.

Ollama (local)

Run any Llama, Qwen, Mistral model on your own GPU. Air-gap-friendly.

Abacus RouteLLM

Auto-routes each request to the most cost-effective model. Single API key.

Three ways to drive it

CLI, REST API, Web UI.

CLI

$ sastcli scan ./src \
   --format sarif \
   -o report.sarif

Perfect for CI pipelines. Exits non-zero on findings above a severity threshold.

REST API

POST /api/scan
{"target": "./src"}

GET  /api/scans
GET  /api/scans/:id/findings

Full OpenAPI 3.1 spec. Integrate with your ticketing, chat, or custom dashboards.

Web UI

A full triage experience: heatmaps, language breakdowns, finding detail with syntax-highlighted code, AI explanations, exports (SARIF, JSON, CSV, HTML), and merged scan views.

Ready to see it on your codebase?

Free Community tier. Pro trial with all packs and AI. Enterprise demo with SSO and compliance walk-through.

Download Community Book a demo