When Octokraft analyzes your code, it automatically detects which languages are present and runs the appropriate analyzers. No configuration is required — detection is automatic.
Analyzers are packaged into isolated container images. Language-specific images run only when that language is detected in the repository. Two cross-language images (analyze-semgrep and analyze-compliance) run on every analysis, regardless of the detected languages.
Language-Specific Analyzers
| Language | Analyzer | What It Checks |
|---|
| Python | Ruff | Linting, style, common bugs, import sorting |
| Python | Bandit | Security vulnerabilities (injection, hardcoded passwords, etc.) |
| JavaScript / TypeScript | Biome | Linting, formatting, correctness, style |
| Java / Kotlin | Checkstyle | Style and formatting standards |
| Java / Kotlin | PMD | Bug patterns, dead code, complexity |
| C# | dotnet-format | Formatting and style enforcement |
| Ruby | RuboCop | Style, correctness, performance |
| PHP | PHPStan | Type safety, dead code, logic errors |
Go and Rust do not have a dedicated image. golangci-lint and clippy both require compiling the project and downloading dependencies, which is a supply-chain attack vector in a multi-tenant analysis environment. Go and Rust code is instead covered by Semgrep’s p/golang and p/rust rule packs in the cross-language Semgrep image below.
Cross-Language Analyzers
These run on every repository, independent of language detection.
| Analyzer | Image | Category | What It Checks |
|---|
| Semgrep | analyze-semgrep | security | Cross-language security and bug-pattern rules (includes Go and Rust packs) |
| jscpd | analyze-semgrep | duplication | Copy-paste clones across files |
| Syft | analyze-compliance | compliance | Software bill of materials; flags restrictive or unknown dependency licenses |
| Trivy | analyze-compliance | security | Known CVEs in dependencies |
| Gitleaks | analyze-compliance | compliance | Hardcoded secrets and credentials in source and git history |
What Gets Ignored
Standard build artifacts and dependency directories are automatically excluded from analysis:
| Language / Framework | Ignored Directories |
|---|
| Node.js | node_modules/, dist/, .next/, coverage/ |
| Python | __pycache__/, .venv/, .mypy_cache/, dist/ |
| Go | vendor/, testdata/ |
| Rust | target/ |
| Java / Kotlin | build/, target/, .gradle/ |
| C# | bin/, obj/ |
| Ruby | vendor/, tmp/ |
| PHP | vendor/, cache/ |
How Results Are Used
Analyzer findings are normalized to a unified severity scale: critical, high, medium, low, and info. These findings are merged with results from other sources (AI analysis, code graph, convention checks) and deduplicated so the same issue is never reported twice from different sources.
All findings feed into your project’s Code Health score and appear in PR Analysis results.
Analyzer Configuration
Analyzers respect your project’s existing configuration files. If your repository contains a ruff.toml, biome.json, .rubocop.yml, phpstan.neon, or equivalent config, Octokraft uses those settings. Your team’s existing rules are honored automatically.
You do not need to configure analyzers in Octokraft. If your repository already has linter configuration, it is picked up and used as-is.
