StackDependenciesTree-sitter

Tree-sitter

Last updated: Jul 1, 2026


Rationale

Tree-sitter is the core library used by Fluid Attacks' SAST scanner. It is critical to report vulnerabilities identified through static application security testing (SAST) to our clients.

The main reasons why we chose it over other alternatives are:

  • It is open source.
  • It provides a low-level, grammar-based approach to parsing that gives us direct access to the concrete syntax tree of any language, making it highly flexible and capable of parsing any deterministic language.
  • It is widely adopted for building SAST scanners, with strong community validation as the foundation for production static analysis tools.
  • Its community maintains parsers for many programming languages, which significantly reduces the work required to add new language support.
  • It exposes a Python binding that integrates cleanly with our existing analysis codebase.
  • It allows us to implement custom parsers for languages or grammars not yet covered by the community, increasing flexibility.
  • Performance is a core design goal: tree-sitter grammars compile to efficient C parsers, matching the speed requirements of vulnerability scans that must complete as quickly as possible.
  • It serves as the foundation for our internal analysis layer, which extends raw syntax tree access with data-flow tracking and cross-file symbol resolution — capabilities that purely syntactic tools cannot provide.

Alternatives

The following alternatives were considered:

Pyparsing

  • It provides a high-level approach towards defining syntaxes, at the cost of reduced flexibility, which was much more important to us.
  • It did not support as many built-in parsers.
  • Its community was smaller.

ast-grep

  • It is open source.
  • It is a Rust-native tool that builds a high-level structural pattern language on top of tree-sitter, using metavariables (e.g., $MODEL, $$$ for variadic arguments) to express call-site patterns directly on the syntax tree.
  • It makes it fast to express known structural shapes such as client.chat.completions.create(model=$MODEL, $$$) without writing full grammar rules.
  • It operates purely at the syntactic match level: it cannot resolve what a variable holds at the point of use, has no support for cross-file symbol resolution, and provides no access to data-flow or type information.
  • When a model identifier is stored in a variable, ast-grep can detect the call site but cannot recover the actual value assigned to that variable.
  • It is not maintained by the team, adding an external dependency with no internal ownership.

ast-grep is well suited for quick structural searches over known call-site shapes, but cannot address the analysis depth required by our SAST scanner. Our existing tree-sitter-based library solves these limitations through a richer analysis layer — including data-flow tracking and cross-file symbol resolution — built on the same underlying grammar and already maintained by the team.

Usage

We use Tree-sitter as a syntax parser for most of our supported languages.

On this page