Security Tool2026

LiquidGuard SAST

SecurityASTLiquidStatic AnalysisCLI

A static analysis security scanner for Shopify Liquid templates that detects XSS vulnerabilities, unsafe data flows, and insecure patterns at the AST level before they reach production.

The Challenge

Shopify themes handle customer data, payment information, and user-generated content — but there's no security scanning tool purpose-built for Liquid. Generic SAST tools don't understand Liquid's template syntax, filter chains, or Shopify-specific security contexts.

The Solution

Built a custom Liquid parser that generates an Abstract Syntax Tree, then walks the tree to trace data flows from untrusted sources (customer input, metafields) through filter chains to output contexts (HTML, JavaScript, URL attributes), flagging unescaped or improperly sanitized paths.

Design

Code

Result

src/analyzers/xss-detector.tstypescript
  1export function analyzeOutputStatement(  2  node: LiquidOutputNode,  3  scope: AnalysisScope  4): SecurityFinding[] {  5  const findings: SecurityFinding[] = []  6  const outputContext = determineContext(node)  7  const dataSource = resolveDataSource(node.expression, scope)  8  9  if (!dataSource.isTrusted) { 10    const filterChain = extractFilters(node) 11    const sanitized = filterChain.some(f => 12      SANITIZING_FILTERS[outputContext]?.includes(f.name) 13    ) 14 15    if (!sanitized) { 16      findings.push({ 17        severity: 'high', 18        rule: 'xss-unescaped-output', 19        message: `Untrusted data "${dataSource.name}" rendered in ` + 20          `${outputContext} context without sanitization`, 21        location: node.location, 22        fix: suggestFilter(outputContext), 23      }) 24    } 25  } 26 27  return findings 28} 29

Scroll to explore

Tech Stack

TypeScriptTree-sitterLiquid ASTNode.jsCLI (Commander)VitestGitHub Actions

Next Project

Speed Score

Interested in similar work?

Let's discuss how I can help bring your Shopify project to life.