DISCOVER THE FUTURE OF AI AGENTSarrow_forward
smart_toyAgent Park
arrow_backBACK TO PROJECTS

Code Pathfinder

calendar_todayAdded Apr 24, 2026
categoryAgent & Tooling
codeOpen Source
PythonWorkflow AutomationDockerModel Context ProtocolGoAI AgentsCLIAgent & ToolingDeveloper Tools & CodingProtocol, API & IntegrationSecurity & Privacy

An open-source SAST engine featuring cross-file taint analysis and code graph querying, also serving as an MCP Server for AI coding assistants.

Code Pathfinder is a code-property-graph-centric Static Application Security Testing (SAST) engine maintained by shivasurya, released under the Apache-2.0 license, with the latest version being v2.1.0.

The core analysis pipeline uses Tree-sitter to parse source code into ASTs, then builds queryable Call Graphs and Variable Dependency Graphs (VDG). Through Inter-procedural Taint Summaries, the engine achieves cross-file, cross-function source-to-sink data flow tracking, capable of discovering vulnerability paths that traditional SAST tools miss—such as tracing user input from an HTTP handler through multiple helper functions into a SQL query in another file.

Security rules are written as Python scripts using the PathFinder SDK, declaratively defining sources, sinks, and sanitizers. The data flow engine automatically executes analysis without requiring rule authors to handle low-level graph details. Rules are automatically distributed via CDN, currently covering Python (158+ rules including Django / Flask / Pyramid / AWS Lambda / JWT / cryptography / deserialization), Dockerfile (37 rules), Docker Compose (10 rules), and Go (21 rules).

Beyond traditional CLI scanning, Code Pathfinder supports running as an MCP Server (pathfinder serve), providing tools such as call graph querying, data flow tracing, and security rule execution to AI coding assistants like Claude Code, Cursor, and Cline, with natural language query support for code structures. The SecureFlow AI module provides AI-driven false positive filtering.

Output formats include text, JSON, SARIF (compatible with GitHub Code Scanning), and CSV. CI/CD security gates can be configured via --fail-on=critical,high. The official GitHub Action supports PR summary comments and inline security finding displays.

Installation options include Homebrew (brew install shivasurya/tap/pathfinder), pip (pip install codepathfinder), and Docker. The core engine is implemented in Go, the rule system and SDK in Python, and the VS Code extension in Svelte and TypeScript.

Unconfirmed items: Go language analysis feature boundaries (the website marks AST analysis and call graphs as "Coming soon", but v2.1.0 claims 21 Go security rules); SecureFlow AI model list and implementation details (whether code is sent externally); C/C++ support has no available information yet.

Related Projects

View All arrow_forward

Handmade

A drop-in visual CSS editor for React that formats in-browser style tweaks into structured instructions for AI coding agents.

TypeScriptNext.js
VIEW DETAILS arrow_forward

Debug Helper

A Chrome extension that captures browser debug context and exports structured reports, optimized for AI coding agents.

TypeScriptNode.js
VIEW DETAILS arrow_forward

MindsDB

Query Engine for AI Analytics that builds self-reasoning AI agents across 200+ data sources using SQL.

PythonModel Context Protocol
VIEW DETAILS arrow_forward

STAY UPDATED

Get the latest AI tools and trends delivered straight to your inbox. No spam, just intelligence.

rocket_launch