Glp V2 Inter-procedural taint analysis for Go

Technical Discussion
1

Hey everyone.

Coming here to share the next step of a custom tool I needed, then built, Glp.

Sharing the core part here, which is pure Go.

Hope someone likes it, and hope even more that someone will review it.:slight_smile:

glp loads the entire program into SSA, builds a VTA callgraph (resolves interface dispatch and closures), then walks it. Seven tools exposed over MCP:

  • glp_load β€” load project, build SSA
  • glp_callgraph β€” static (fast, direct calls) or VTA (precise, interfaces + closures)
  • glp_taint β€” inter-procedural taint tracking from entry points to database/HTTP sinks
  • glp_sinks β€” bottom-up sink discovery via inverted callgraph
  • glp_sql β€” extract constant SQL queries via ssa.Const
  • glp_deadcode β€” exported functions with zero callers
  • sinkerr β€” go/analysis check that errors from SQL calls are handled

The taint tracker

The core is taint/tracker.go, 217 lines. A recursive DFS that follows a tainted value (typically context.Context) through SSA instructions, jumping across function boundaries using VTA
callgraph edges as bridges.

Four jump cases:

  • Call β€” maps Args[i] to Params[i] in the target function via VTA edge resolution. Adjusts for interface invoke (receiver offset).
  • MakeClosure β€” maps Bindings[k] to FreeVars[k]. Follows values captured by closures.
  • MakeInterface β€” follows values through interface casts.
  • Store/FieldAddr β€” taint poisoning. If a field is tainted, the whole struct is tainted. Trades precision for simplicity.

This is the same class of analysis that Checkmarx and Snyk Code perform commercially, scoped to Go’s SSA and implemented in 1462 lines with zero dependencies beyond The Go Programming Language .

What it doesn’t do

No symbolic execution. No path sensitivity β€” if a value can reach a sink on any path, it’s reported. SQL extraction only works for string constants (fmt.Sprintf queries are opaque). Dead
code detection skips methods (interface implementations are called dynamically). No incremental analysis β€” full program reload on each run.

Architecture

glp/
ssa/ β€” Load + BuildStatic + BuildVTA + ExtractEdges + FindDeadExports
taint/ β€” Track (DFS) + DiscoverDerivedSinks + Aggregate + ExtractSQLConstants
analysis/ β€” sinkerr analyzer (err check after SQL calls)
cmd/glp/ β€” MCP stdio server (7 tools)

Runs as an MCP server for Claude Code or any MCP-compatible agent. Also usable as a Go library.

Pure Go. CGO_ENABLED=0. MIT. 1462 LOC.