codebadger is a containerized Model Context Protocol (MCP) server that gives AI agents and LLMs deep, queryable access to a codebase's structure and data flow through Joern Code Property Graphs (CPGs).
Point it at a Git repository, a local path, or even a pasted code snippet, and codebadger builds a CPG and exposes it over MCP — so an assistant can run CPGQL queries, trace data flow and taint, slice programs, and hunt for vulnerabilities across Java, C/C++, JavaScript, Python, Go, Kotlin, C#, Ghidra, Jimple, PHP, Ruby, and Swift.
It's a general-purpose foundation for both program analysis (understanding code structure, call graphs, and data flow) and vulnerability analysis (taint tracking, bug hunting, and PoC development) — useful for academic research as well as industry security and engineering work. It's built to scale to large analysis batches with per-CPG worker pools, memory-aware scheduling, and a Postgres/Redis backend.
codebadger and its paper - Bridging Code Property Graphs and Language Models for Program Analysis - were accepted at the Software Vulnerability Management Workshop @ ICSE 2026. 🎉
Everything a developer or security researcher needs lives in docs/:
| Doc | What's in it |
|---|---|
| Installation | Prerequisites and a 5-minute local setup. |
| Usage | Connecting MCP clients, the tool catalog, and a researcher workflow. |
| Available Tools | Every MCP tool by category, with a description of what each does. |
| Configuration | config.yaml / env reference, telemetry. |
| Deployment | Postgres/Redis, memory sizing, shared vs pool, large batches. |
| Architecture | System design and diagrams. |
| Security | Threat model, trust boundaries, and production hardening. |
| Custom Tools | Add your own detectors. |
| Contributing | Dev setup, tests, and guidelines. |
| Roadmap | What's shipped and what's next. |
We'd love to hear about it - open a PR adding it to TROPHIES.md (CVE ID, project, one-line description, date).
@inproceedings{lekssays2026bridging,
title={Bridging Code Property Graphs and Language Models for Program Analysis},
author={Lekssays, Ahmed},
booktitle={Proceedings of the 2026 IEEE/ACM 4th International Workshop on Software Vulnerability Management},
pages={33--40},
year={2026}
}