Get a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Supported Languages and Package Managers in Hopper

Hopper is designed to work seamlessly across modern software stacks, with deep static analysis support for today’s most widely used languages, frameworks, and build systems. Whether you’re running JVM-based microservices, Python ML pipelines, .NET enterprise apps, or containerized Node.js services, Hopper has you covered.

This guide provides a complete overview of Hopper’s supported languages, ecosystems, and dynamic analysis capabilities, so you know exactly what Hopper sees and how it interprets your code.

Supported Language Ecosystems

Hopper supports direct and transitive dependency analysis, license detection, and function-level reachability across the following language ecosystems:

JVM Ecosystems

  • Languages: Java, Kotlin, Scala
  • Build Systems: Maven, Gradle
  • Handles shaded and repackaged JARs
  • Supports nested modules and multi-project builds
  • Detects and maps dynamic behaviors in Spring and JakartaEE, including routing, injection, and reflection

.NET

  • Languages: C#
  • Works across Windows and Linux environments
  • Understands ASP.NET MVC patterns, routing, and component wiring

Python

  • Build Systems: pip, Poetry
  • Supports AI/ML libraries and popular data science packages
  • Full support for Django and FastAPI, including decorators, dynamic routes, middleware, and context processors

JavaScript / TypeScript

  • Package Managers: npm, yarn, pnpm
  • Scans monorepos and workspaces
  • Supports frontend and backend frameworks like React, Angular, Express, Next.JS and NestJS

Go

  • Supports module-based projects
  • Supports projects utilizing build tags

Built for Modern Frameworks and Dynamic Code

Hopper goes beyond language-level support to understand how your application is built and behaves in production. It models routing, dependency injection, reflection, decorators, and dynamic dispatch — features that often break traditional static analysis tools.

Frameworks with First-Class Support

  • Spring: Models auto-configuration, annotation-based routing, proxies, and reflection-driven instantiation
  • Django: Understands urlpatterns, middleware, dynamic routing, template context, and WSGI deployment patterns
  • ASP.NET: Detects MVC patterns, component injection, and runtime behavior
  • FastAPI: Recognizes dynamic route registration, type annotations, and async behavior
  • Flask, Node.js, Express: Supports common routing and middleware flows

Why It Matters

Most static analysis tools treat dynamic code as either always reachable or completely ignored. This leads to false positives or missed threats. Hopper accurately interprets dynamic behavior, ensuring higher precision in vulnerability detection and triage.

Container Scanning Support

Hopper supports vulnerability analysis in containerized applications by inspecting images built from:

Docker

  • Identifies vulnerable base images
  • Maps each layer to its originating instruction
  • Suggests more secure alternatives
  • Supports tagging and filtering, just like in the Projects view
  • Links image findings to their Dockerfile, with details on current and suggested base images

Best Practices for Language Coverage

  • Ensure repositories contain build files (pom.xml, build.gradle, package.json, etc.)
  • Hopper auto-detects language and build system based on repo contents
  • For polyglot monorepos, Hopper scans each project individually and maps findings back to specific paths
  • Tag critical projects (Crown Jewels) to prioritize visibility in reports and filtering