Nika: Open-source code analysis tool

Many serious security bugs in web applications sit across several files at once. Request data enters through a controller, moves through data objects and service layers, and turns dangerous only when it reaches a sensitive operation such as a database query or a file action. A scanner that reads one file at a time can miss that path entirely.

nika open source code analysis

Nika, an open-source tool from the payments company PhonePe, works on that problem for Java microservices. It performs cross-file taint analysis, tracing attacker-controlled input across application layers to find out whether that input reaches a security-sensitive sink.

Many exploitable issues stay invisible inside a single file. The danger appears only along the route the data travels, so a reviewer needs to see the whole route. Nika traces that data flow across files and functions, which lets a security engineer judge whether a suspect path is reachable in practice.

How the analysis works

The tool reads a target repository and builds an analysis representation that captures code structure, control flow, and data flow. From there it locates the sources where attacker-controlled input enters an application, then locates the sinks where security-sensitive operations happen. A sink might be a database query, a file operation, a template engine, a reflection call, or an outbound network request. Cross-file and inter-procedural analysis traces whether input can travel from a source to a sink. The output is a HTML of JSON report that shows the vulnerable path, the affected code locations, and remediation context.

What it detects

Nika covers eleven vulnerability categories. These include SQL injection, server-side request forgery, path traversal, command injection, code injection, template injection, deserialization flaws, XML external entity issues, cryptographic failures, and unsafe reflection. The tool also checks for security-critical call-order violations in sensitive execution flows and validation chains. Teams can broaden the coverage with custom sources, OpenGrep sinks, and vulnerability plugins, and they can run branch-aware scans as part of secure code review.

An optional AI review step

After the core analysis runs, Nika can pass its findings to an AI agent for a second look aimed at reducing false positives. This step stays off by default and switches on through a configuration setting. The sample configuration points the review at a hosted large language model and includes values for token cost, iteration counts, and call limits. Keeping the step optional lets a team run the static engine on its own and add the language-model pass for cases where triage time runs short.

The tool aims at secure code review work. Branch-aware scanning lets a reviewer point Nika at the changes under review, and the HTML report lays out the source-to-sink path together with the lines involved. The remediation context in the report gives a starting point for a fix.

Benchmarking and language support

The team behind Nika has measured the tool against a public test set. Praveen Kanniah, a maintainer of the project, described the method: “We have used OWASP Java benchmark project to benchmark our tool. The codebase has intentionally vulnerable files and its gauged against parameters like True Positives, False Positives, recall (the overall true positives identified amongst what exists in the code) etc.”

The OWASP benchmark supplies code with planted flaws, which lets a scanner’s results get scored on how many real issues it catches and how many of its alerts hold up. Recall, in that setting, measures the share of existing vulnerabilities the tool manages to surface.

Java is the only supported language at this stage, and coverage for more languages sits on the roadmap. Nika ships as a Docker image and as a local build, and its documentation lives on a dedicated project site.

Nika is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

Don't miss