What

Add a 代码安全 (Code Security) section to docs/open-source-project/tools.md listing OpenTaint — an open-source taint-analysis (SAST) engine for Java / Kotlin / Spring Boot.

It's placed right after 代码质量: same "run-against-your-code" tooling, but focused on security vulnerabilities rather than code quality, so a separate category keeps it easy to find.

Why OpenTaint

• On-topic — targets Java / Kotlin / Spring Boot
• Bytecode-level inter-procedural dataflow; detects 20+ vuln classes (SQLi, XSS, SSRF, command injection, etc.)
• Models Spring DI, singleton bean state, and JPA flows that file-by-file matchers miss
• Fully open source (engine is Apache 2.0, CLI and rules are MIT)

The entry links to the Chinese README, the official site, and two deep-dive posts (Spring analysis and LLM-agent with taint workflow).

Note for reviewers

The copy was drafted with Claude Opus 4.8 — please review the wording and improve any phrasing that reads unnaturally.