The GraphQL API query language has several types of misconfigurations that result in data compromise, access control issues, and other high-risk vulnerabilities. Static analysis tools can identify these vulnerabilities using taint analysis and points-to analysis to accurately record program execution. The Snyk Code engine leverages typestate analysis to detect common GraphQL vulnerabilities such as SQL injection and deserialization vulnerabilities through GraphQL frameworks like express-graphql and koa-graphql. Additionally, GraphQL introspection can be used to discover what queries are supported by a GraphQL server, while GraphQL denial of service attacks can occur when the GraphQL server does not have a default depth limit. To prevent these vulnerabilities, developers should validate user input against strict allowlists, disable introspection in production environments, and use vendor-supplied escaping routines if necessary. Snyk Code currently supports several GraphQL frameworks through its static analysis capabilities, with plans to add further support for additional languages and code quality rules.