{"id":14149560,"url":"https://github.com/shivasurya/code-pathfinder","last_synced_at":"2026-02-08T21:20:02.503Z","repository":{"id":246859675,"uuid":"720901365","full_name":"shivasurya/code-pathfinder","owner":"shivasurya","description":"An open-source security suite aiming to combine structural code analysis with AI-powered vulnerability detection. Built for advanced structural search, derive insights, find vulnerabilities in code.","archived":false,"fork":false,"pushed_at":"2026-01-19T01:21:07.000Z","size":33889,"stargazers_count":92,"open_issues_count":0,"forks_count":10,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-01-19T11:37:56.271Z","etag":null,"topics":["ai-agents","ai-sast","application-security","code-scanning","sast","security","security-tools","static-analysis","static-code-analysis","structural-search"],"latest_commit_sha":null,"homepage":"https://codepathfinder.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shivasurya.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-11-19T23:24:49.000Z","updated_at":"2026-01-19T03:19:13.000Z","dependencies_parsed_at":"2024-07-11T21:21:17.298Z","dependency_job_id":"bbd512d1-e177-467a-b2ed-e87344b4ce0d","html_url":"https://github.com/shivasurya/code-pathfinder","commit_stats":{"total_commits":184,"total_committers":3,"mean_commits":"61.333333333333336","dds":0.06521739130434778,"last_synced_commit":"95cad0cbd8ba49786e037dd70f782853a878162a"},"previous_names":["shivasurya/code-pathfinder"],"tags_count":43,"template":false,"template_full_name":null,"purl":"pkg:github/shivasurya/code-pathfinder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivasurya%2Fcode-pathfinder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivasurya%2Fcode-pathfinder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivasurya%2Fcode-pathfinder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivasurya%2Fcode-pathfinder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shivasurya","download_url":"https://codeload.github.com/shivasurya/code-pathfinder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shivasurya%2Fcode-pathfinder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28767014,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-26T03:54:34.369Z","status":"ssl_error","status_checked_at":"2026-01-26T03:54:33.031Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","ai-sast","application-security","code-scanning","sast","security","security-tools","static-analysis","static-code-analysis","structural-search"],"created_at":"2024-08-17T03:00:31.917Z","updated_at":"2026-01-26T05:02:26.942Z","avatar_url":"https://github.com/shivasurya.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"./assets/banner.png\" alt=\"Code Pathfinder - AI-Native static code analysis security scanner\" width=\"100%\"\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[Website](https://codepathfinder.dev/) • [Installation](https://codepathfinder.dev/docs/quickstart) • [Rule Registry](https://codepathfinder.dev/registry) • [How to write rule?](https://codepathfinder.dev/docs/rules) • [VS Code](https://marketplace.visualstudio.com/items?itemName=codepathfinder.secureflow) • [Open VSX](https://open-vsx.org/extension/codepathfinder/secureflow)\n\n[![Build](https://github.com/shivasurya/code-pathfinder/actions/workflows/build.yml/badge.svg)](https://github.com/shivasurya/code-pathfinder/actions/workflows/build.yml)\n[![VS Code Marketplace](https://img.shields.io/visual-studio-marketplace/v/codepathfinder.secureflow?label=VS%20Code\u0026logo=visualstudiocode)](https://marketplace.visualstudio.com/items?itemName=codepathfinder.secureflow)\n[![Open VSX](https://img.shields.io/open-vsx/v/codepathfinder/secureflow?label=Open%20VSX\u0026logo=vscodium)](https://open-vsx.org/extension/codepathfinder/secureflow)\n[![AGPL-3.0 License](https://img.shields.io/github/license/shivasurya/code-pathfinder)](https://github.com/shivasurya/code-pathfinder/blob/main/LICENSE)\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/shivasurya/code-pathfinder)\n\n\u003c/div\u003e\n\n# [Code Pathfinder](https://codepathfinder.dev)\n\nWith AI tools generating thousands of lines of code in seconds, the bottleneck has shifted from writing code to reviewing and securing it at scale. Traditional static analysis tools struggle with modern AI-generated codebases that mix languages, frameworks, and infrastructure-as-code in the same repository.\n\nCode Pathfinder flips this model. Instead of brittle regex or AST pattern matching per language, it indexes your entire codebase as structured, queryable data (AST, CFG, DFG). Write language-agnostic queries that trace data flows across Python, [Dockerfiles](https://codepathfinder.dev/registry), and [docker-compose](https://codepathfinder.dev/blog/announcing-docker-compose-security-rules) in a single rule—critical for CVE detection and vulnerability research when you need to understand how dependencies are used, what privileges they run with, and what attack surface they expose.\n\n## What it is\n\n- **[Open-source SAST](https://codepathfinder.dev)** that combines structural analysis (call graphs, dataflow, taint tracking) with AI to [understand real exploit paths](https://codepathfinder.dev/blog/static-analysis-isnt-enough-understanding-library-interactions-for-effective-data-flow-tracking), not just regex hits.\n- **AI-powered vulnerability hunting** via [SecureFlow](https://codepathfinder.dev/secureflow-ai), which layers 10+ models (Claude, GPT, Gemini, Grok, Ollama, etc.) on top of deterministic analysis for [context-aware triage](https://codepathfinder.dev/blog/introducing-secureflow-cli-to-hunt-vuln).\n- **Developer-first workflow** with [IDE integration](https://codepathfinder.dev/docs/quickstart), CLI, and CI support so security checks land where code is written and reviewed.\n\n## Why it's different\n\n- **Graph-first engine**: builds a rich representation of [functions, endpoints, DB calls, and dataflows](https://codepathfinder.dev/blog/static-analysis-isnt-enough-understanding-library-interactions-for-effective-data-flow-tracking) to cut false positives and surface real source‑to‑sink issues.\n- **LLM as validator, not oracle**: uses models to [explain, prioritize, and validate findings](https://github.blog/ai-and-ml/llms/how-ai-enhances-static-application-security-testing-sast/) after structural analysis, keeping behavior predictable and reproducible.\n- **Privacy‑first, BYOK**: your code stays local; you [bring your own keys](https://codepathfinder.dev/secureflow-ai) and talk directly to providers with no vendor-side code ingestion.\n\n## Where it fits in your stack\n\n- **Local \u0026 IDE**: SecureFlow VS Code extension ([VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=codepathfinder.secureflow) | [Open VSX](https://open-vsx.org/extension/codepathfinder/secureflow)) for real‑time security feedback as you type.\n- **CLI \u0026 agents**: [SecureFlow CLI](https://www.npmjs.com/package/@codepathfinder/secureflow-cli) runs agentic loops over your repo (profile, read, trace, validate) to hunt vulnerabilities with the same ergonomics as modern AI coding tools.\n- **Pipelines \u0026 reporting**: integrates into CI/CD and exports to formats and systems like SARIF, [GitHub Advanced Security](https://github.com/shivasurya/code-pathfinder), and DefectDojo so findings flow into existing governance.\n\n## Project components\n\n- **[Code Pathfinder CLI](https://codepathfinder.dev/blog/codeql-oss-alternative)** – structural security scanner and query engine for code graphs, better than grep/AST‑only search for paths and patterns.\n- **[SecureFlow CLI](https://www.npmjs.com/package/@codepathfinder/secureflow-cli)** – AI‑powered vulnerability hunter that uses agent loops and 10+ models for deep, context‑aware scans across real projects.\n- **SecureFlow VS Code extension** ([VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=codepathfinder.secureflow) | [Open VSX](https://open-vsx.org/extension/codepathfinder/secureflow)) – in‑editor experience for running scans, reviewing traces, and getting AI‑validated security insights without leaving your workspace.\n- **[Custom Rules](https://codepathfinder.dev/docs/rules)** – write your own security rules using the PathFinder query language to detect project-specific vulnerabilities and patterns.\n\n## Supported Languages\n\n- **[Python](https://codepathfinder.dev/registry/python)** – Full support for security analysis and vulnerability detection\n- **[Docker](https://codepathfinder.dev/registry/docker)** – Dockerfile security scanning\n- **[Docker Compose](https://codepathfinder.dev/registry/docker-compose)** – Configuration analysis and security checks\n- **Go** – Coming soon\n\n## Installation\n\n### Homebrew (Recommended)\n\nThe easiest way to install on macOS or Linux. Available from version 0.0.34 onwards.\n\n```bash\nbrew install shivasurya/tap/pathfinder\n```\n\n### pip\n\nInstall via pip to get **both** the CLI binary and Python DSL for writing security rules.\n\n```bash\npip install codepathfinder\n```\n\n**Verify installation:**\n\n```bash\n# Test CLI binary\npathfinder --version\n\n# Test Python DSL\npython -c \"from codepathfinder import rule, calls; print('DSL OK')\"\n```\n\n**Supported platforms:** Linux (x86_64, aarch64), macOS (Intel, Apple Silicon), Windows (x64)\n\n\u003e **Migrating from npm?** The npm package is deprecated. Run `npm uninstall -g codepathfinder` then `pip install codepathfinder`.\n\n### Docker\n\nIdeal for CI/CD pipelines and containerized workflows.\n\n```bash\ndocker pull shivasurya/code-pathfinder:stable-latest\n\n# Run a scan\ndocker run --rm -v \"./src:/src\" \\\n  shivasurya/code-pathfinder:stable-latest \\\n  scan --project /src --rules /src/rules\n```\n\n### Pre-Built Binaries\n\nDownload platform-specific binaries from [GitHub Releases](https://github.com/shivasurya/code-pathfinder/releases). Available for Linux (amd64, arm64), macOS (Intel, Apple Silicon), and Windows (x64).\n\n```bash\nchmod u+x pathfinder\n./pathfinder --help\n```\n\n### From Source\n\nBuild from source for the latest features. Requires Gradle and Go.\n\n```bash\ngit clone https://github.com/shivasurya/code-pathfinder\ncd code-pathfinder/sast-engine\ngradle buildGo\n./build/go/pathfinder --help\n```\n\n\n## Usage\n\n### Scan Command (Interactive)\n\n```bash\n# Basic scan (text output to console)\npathfinder scan --rules rules/ --project /path/to/project\n\n# With verbose output\npathfinder scan --rules rules/ --project . --verbose\n\n# With debug output\npathfinder scan --rules rules/ --project . --debug\n\n# JSON output to file\npathfinder scan --rules rules/ --project . --output json --output-file results.json\n\n# SARIF output to file (GitHub Code Scanning compatible)\npathfinder scan --rules rules/ --project . --output sarif --output-file results.sarif\n\n# CSV output to file\npathfinder scan --rules rules/ --project . --output csv --output-file results.csv\n\n# JSON output to stdout (for piping)\npathfinder scan --rules rules/ --project . --output json | jq .\n\n# Fail on specific severities\npathfinder scan --rules rules/ --project . --fail-on=critical,high\n```\n\n## GitHub Action\n\nAdd security scanning to your CI/CD pipeline in just a few lines.\n\n**Best Practice:** Pin to a specific version (e.g., `@v1.2.0`) for stability and reproducibility. Using `@main` will always pull the latest changes, which may introduce breaking changes.\n\n```yaml\n# .github/workflows/security-scan.yml\nname: Security Scan\n\non: [push, pull_request]\n\npermissions:\n  security-events: write\n  contents: read\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v6\n\n      # Scan with remote Python rulesets\n      - name: Run Python Security Scan\n        uses: shivasurya/code-pathfinder@v1.2.0\n        with:\n          ruleset: python/deserialization, python/django, python/flask\n          fail-on: critical,high\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v4\n        if: always()\n        with:\n          sarif_file: pathfinder-results.sarif\n```\n\n**Scan Dockerfiles:**\n```yaml\n      - name: Run Docker Security Scan\n        uses: shivasurya/code-pathfinder@v1.2.0\n        with:\n          ruleset: docker/security, docker/best-practice\n```\n\n**Use local rules:**\n```yaml\n      - name: Run Custom Rules\n        uses: shivasurya/code-pathfinder@v1.2.0\n        with:\n          rules: python-sdk/examples/owasp_top10.py\n```\n\n### Action Inputs\n\n| Input | Description | Default |\n|-------|-------------|---------|\n| `rules` | Path to Python SDK rules file or directory | - |\n| `ruleset` | Remote ruleset(s) to use (e.g., `python/deserialization, docker/security`). Supports bundles or individual rule IDs. | - |\n| `project` | Path to source code to scan | `.` |\n| `output` | Output format: `sarif`, `json`, `csv`, `text` | `sarif` |\n| `output-file` | Output file path | `pathfinder-results.sarif` |\n| `fail-on` | Fail on severities (e.g., `critical,high`) | - |\n| `verbose` | Enable verbose output with progress and statistics | `false` |\n| `debug` | Enable debug diagnostics with timestamps | `false` |\n| `skip-tests` | Skip scanning test files (test_*.py, *_test.py, etc.) | `true` |\n| `refresh-rules` | Force refresh of cached rulesets (bypasses cache) | `false` |\n| `disable-metrics` | Disable anonymous usage metrics collection | `false` |\n| `python-version` | Python version to use | `3.12` |\n\n**Note:** Either `rules` or `ruleset` must be specified.\n\n### Available Remote Rulesets\n\n**Python:**\n- `python/deserialization` - Unsafe pickle.loads RCE detection\n- `python/django` - Django SQL injection patterns\n- `python/flask` - Flask security misconfigurations\n\n**Docker:**\n- `docker/security` - Critical and high-severity security issues\n- `docker/best-practice` - Dockerfile optimization and best practices\n- `docker/performance` - Performance optimization for container images\n\n## Acknowledgements\nCode Pathfinder uses tree-sitter for all language parsers.\n\n## License\n\nLicensed under [AGPL-3.0](https://github.com/shivasurya/code-pathfinder/blob/main/LICENSE).\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshivasurya%2Fcode-pathfinder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshivasurya%2Fcode-pathfinder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshivasurya%2Fcode-pathfinder/lists"}