This package is the npm distribution of the OpenTaint CLI. Installing it pulls in a prebuilt, self-contained binary for your platform that bundles the analyzer, rules, and a Java runtime — no separate Java installation required.

Install

Run instantly with npx — no install required:

npx @seqra/opentaint scan

Or install globally:

npm install -g @seqra/opentaint
opentaint --version

The correct binary for your platform is selected automatically through optional dependencies. Supported platforms:

| OS | Architectures | | ------- | ------------- | | Linux | x64, arm64 | | macOS | x64, arm64 | | Windows | x64, arm64 |

Note: Do not install with --no-optional / --omit=optional. The platform binary ships as an optional dependency; omitting it leaves the launcher with nothing to run.

Usage

Scan the project in the current directory:

opentaint scan

Write results to a SARIF file:

opentaint scan --output results.sarif

See all commands and flags:

opentaint --help

AI agent workflows

OpenTaint ships agent skills that turn static analysis into an end-to-end application-security workflow. Add them to your agent with:

npx skills add https://github.com/seqra/opentaint

The appsec-agent skill orchestrates a full assessment: build the project, run OpenTaint, discover the attack surface, add targeted rules, model missing library data flows, triage findings, and optionally generate dynamic proof-of-concept checks for confirmed vulnerabilities.

Updating

npm install -g @seqra/opentaint@latest

Documentation & support

• Documentation: https://github.com/seqra/opentaint/blob/main/docs/README.md
• Issues: https://github.com/seqra/opentaint/issues
• Community: Discord
• Email: [email protected]

License

The CLI is released under the MIT License. The core analysis engine is released under the Apache 2.0 License.