AI & TechCybersecurityNewswireStartupsTechnology

Nika: Open-Source Tool for Code Analysis

▼ Summary

– Nika, an open-source tool from PhonePe, performs cross-file taint analysis on Java microservices to trace attacker-controlled input across application layers to security-sensitive sinks.
– Many security bugs span multiple files, making them invisible to single-file scanners; Nika traces data flow across files and functions to reveal the full vulnerable path.
– The tool detects 11 vulnerability categories, including SQL injection, server-side request forgery, and command injection, with options for custom sources and branch-aware scans.
– An optional AI review step reduces false positives by passing findings to a language model, but it is off by default and configurable for use when triage time is limited.
– Nika currently supports only Java, ships as a Docker image or local build, and is available for free on GitHub.

Many of the most dangerous security flaws in web applications don’t exist in isolation. They emerge from a chain of events that stretches across multiple files: user input enters through a controller, passes through data objects and service layers, and only becomes a threat when it reaches a sensitive operation like a database query or file action. Traditional scanners that analyze one file at a time can easily overlook these complex attack paths.

Nika, an open-source tool developed by the payments company PhonePe, addresses this challenge for Java microservices. It performs cross-file taint analysis, tracing attacker-controlled input as it moves through an application’s layers to determine whether that input ever reaches a security-sensitive sink.

The danger of many exploitable vulnerabilities only becomes visible along the entire data route. A security reviewer needs to see that full path, not just a single file. Nika traces data flow across files and functions, enabling engineers to assess whether a suspect path is actually reachable in practice.

How the Analysis Works

The tool ingests a target repository and builds an analysis representation that captures code structure, control flow, and data flow. From there, it identifies sources where attacker-controlled input enters the application and sinks where security-sensitive operations occur. A sink could be a database query, a file operation, a template engine, a reflection call, or an outbound network request. Through cross-file and inter-procedural analysis, Nika traces whether input can travel from a source to a sink. The output is an HTML or JSON report that shows the vulnerable path, affected code locations, and remediation context.

What It Detects

Nika covers eleven vulnerability categories: SQL injection, server-side request forgery, path traversal, command injection, code injection, template injection, deserialization flaws, XML external entity issues, cryptographic failures, and unsafe reflection. It also checks for security-critical call-order violations in sensitive execution flows and validation chains. Teams can extend coverage with custom sources, OpenGrep sinks, and vulnerability plugins, and they can run branch-aware scans as part of secure code review.

An Optional AI Review Step

After the core analysis runs, Nika can pass its findings to an AI agent for a second review aimed at reducing false positives. This step is off by default and activated through a configuration setting. The sample configuration points the review at a hosted large language model and includes values for token cost, iteration counts, and call limits. Keeping this step optional lets teams run the static engine independently and add the language-model pass when triage time is short.

The tool is designed for secure code review workflows. Branch-aware scanning lets a reviewer point Nika at the specific changes under review, and the HTML report lays out the source-to-sink path along with the lines involved. The remediation context in the report provides a starting point for a fix.

Benchmarking and Language Support

The Nika team has measured the tool against a public test set. Praveen Kanniah, a maintainer of the project, explained the method: “We have used the OWASP Java benchmark project to benchmark our tool. The codebase has intentionally vulnerable files and is gauged against parameters like True Positives, False Positives, recall (the overall true positives identified amongst what exists in the code), etc.”

The OWASP benchmark supplies code with planted flaws, allowing a scanner’s results to be scored on how many real issues it catches and how many of its alerts hold up. Recall, in that context, measures the share of existing vulnerabilities the tool manages to surface.

Java is the only supported language at this stage, with coverage for more languages on the roadmap. Nika ships as a Docker image and as a local build, with documentation available on a dedicated project site. Nika is available for free on GitHub.

(Source: Help Net Security)

Topics

cross-file taint analysis 98% nika tool overview 95% security vulnerability detection 92% data flow tracing 90% java microservices security 88% ai-assisted false positive reduction 85% owasp benchmark testing 82% secure code review 80% html/json reporting 78% customizable security coverage 75%