No description
  • Go 78.6%
  • JavaScript 16.3%
  • HTML 4.5%
  • Shell 0.6%
Find a file
Repository files (latest commit first)
Filename Latest commit message Latest commit date
2026-07-08 13:11:39 +00:00
.opencode/plans Added js parser 2026-07-08 13:08:04 +02:00
client Chnaged directory structure 2026-07-06 14:45:36 +02:00
cmd Set trusted proxies 2026-07-08 15:01:23 +02:00
internal Reduced temperature of taint evaluation 2026-07-08 15:01:02 +02:00
js Added js parser 2026-07-08 13:08:04 +02:00
.gitignore Chnaged directory structure 2026-07-06 14:45:36 +02:00
go.mod Parallellized taint analysis 2026-07-07 10:01:34 +02:00
go.sum Added triage of results 2026-07-02 14:59:25 +02:00
README.md Update Readme 2026-07-07 08:32:42 +02:00

Phish

Phish is a tool for doing taint analysis on your code. The program takes a git repo as input and delivers a report on value flow vulnerabilities in your code.

Supported languages

  • Go

Definitions

Given a repo R, Phish extracts a directed value flow graph G=\{V,E\}, where V is the set of vertices representing expressions and statements, while E\subseteq V\times V is the set of edges representing the value flow between them. Then, we can define a vertex v as a source v_{source} if it has no incoming edges, a sink v_{sink} if it has no outgoing edges, or neutral v_{neutral} if it has both incoming and outgoing edges. Further on, we define a set of tainted sinks V_{sink}^T and a set of tainted sources V_{source}^T . Finding a vulnerability then becomes a question of finding a path between a source-sink pair (v_{source}\in V_{source}^T,v_{sink}\in V_{sink}^T). If such a path exists, we have a vulnerability.

Discovering these paths is done by using a depth-first search starting in each tainted source. Upon discovering a tainted sink, the whole path is saved and given to an LLM for verification, explanation and mitigation. Traversal is done by iterating through all edges and creating an adjacency list for each vertex. Then, depth first search is applied, giving O(V+E) complexity.

How to use

  • Run go run ./cmd in the terminal
  • Navigate to the specified host
  • To submit a git repo, go to the submit pane, paste a link to a repo and press submit
  • To view reports, press the reports pane, and press the report you want to view