The Fifth Elephant OSAI meet-up - Hyderabad edition

Session Description:

Traditional security scanners analyze files in isolation, missing the cascading vulnerabilities that emerge from complex dependencies. When a seemingly innocent config change can break authentication across services, or when a utility function modification introduces SQL injection risks in distant components, pattern-matching tools are blind. Through analyzing hundreds of PRs across enterprise codebases, we found that many critical security issues involve cross-file dependencies that conventional SAST tools overlook.

The solution is build a comprehensive knowledge graph (Grap RAG) of the entire codebase that maps every function call, data flow, and dependency chain, then leverage AI models to identify issues in their full context. This talk explores the foundations and architectural principles of security-aware code analysis using knowledge graphs, covering graph storage strategies with Neo4j, multi-language parsing approaches with tree-sitter (supporting Python, Java, JavaScript, TypeScript, .NET, PHP, and Ruby), static analysis rule design with ast-grep, and LSP (Language Server Protocol) integration for enhanced graph building capabilities.

We’ll present knowledge graph approaches revealed critical code issues: shared utility functions that exposed data inconsistencies, breaking changes, contract violations discovered through relationship mapping, and configuration conflicts that created system gaps only visible through dependency analysis. You’ll understand the framework behind graph schema design for capturing code relationships, the concepts behind PR-specific graph overlays for accurate analysis, and architectural patterns for CI/CD integration. Our research shows 30-40% better detection of context-dependent issues including breaking changes, data flow problems, and system inconsistencies while maintaining efficient analysis times for large codebases.

Key Takeaways

• Security-focused knowledge graph: Understand the conceptual framework, schema design principles, and relationship modeling strategies that capture security-critical dependencies across codebases.
• Vulnerability pattern recognition through graph analysis: Learn about specific security anti-patterns involving transitive dependencies, cross-service data flows, and configuration interactions that traditional tools miss, with theoretical models and detection approaches.

Target Audience: This session benefits DevSecOps engineers implementing shift-left security practices, security architects designing application security programs, engineering leaders concerned about supply chain and dependency vulnerabilities, and developers wanting to understand how their code changes impact system-wide security. Attendees should have basic familiarity with CI/CD pipelines and security concepts.

About me:

Kartik Bansal, CEO and Head of Engineering at CodeKnack, building AI-powered code analysis tools that scale in production environments. Our team has deep experience implementing security practices across distributed systems and making enterprise-grade code analysis accessible through open-source technologies. We’re passionate about knowledge graphs as the foundation for understanding code relationships and leverage tools like Neo4j, tree-sitter, and ast-grep to build production code analysis systems.