Code Pathfinder is an open-source static application security testing (SAST) platform that combines structural code analysis with AI-powered vulnerability detection. The current release is v1.3.7.
The system consists of three primary toolchains:
sast-engine/) — Core static analysis engine written in Go. See page 3 for architecture details.extension/secureflow/) — AI-powered security analysis tools including VS Code extension and standalone CLI. See page 2 for details.python-sdk/) — Declarative DSL (codepathfinder package) for writing custom security rules. See page 4 for rule authoring details.For installation methods and distribution channels, see page 5. For development setup, see page 6.
Sources: README.md23-74 sast-engine/VERSION1 python-sdk/pyproject.toml6
Code Pathfinder operates as a multi-layer architecture. The Go binary (pathfinder) provides structural code understanding; optional AI models (via AIClientFactory) provide enhanced vulnerability detection.
Repository layout — top-level directories mapped to product lines:
| Directory | Language | Product |
|---|---|---|
sast-engine/ | Go | pathfinder CLI binary |
python-sdk/ | Python | codepathfinder PyPI package |
extension/secureflow/ | TypeScript | VS Code extension |
extension/secureflow/packages/secureflow-cli/ | TypeScript | @codepathfinder/secureflow-cli npm package |
rules/ | Python | Pre-built rule bundles |
Top-level architecture — packages, binaries, and distribution targets:
Sources: README.md23-74 python-sdk/codepathfinder/__init__.py1-48 extension/secureflow/src/extension.ts1-135 Dockerfile1-44
Internal pipeline — from source code to findings:
Sources: README.md36-46 python-sdk/codepathfinder/__init__.py27-33
sast-engine/)The pathfinder binary is the core analysis engine. It parses source files using tree-sitter, constructs call graphs and type information through a multi-pass algorithm, and then executes security rules against the resulting graph.
Operational modes (cobra command tree):
| Command | Description |
|---|---|
pathfinder scan | Execute security analysis with local rules or remote rulesets |
pathfinder ci | CI/CD mode with diff-aware scanning and GitHub PR commenting |
pathfinder serve | MCP server (stdio or HTTP) for AI coding assistants |
Supported languages: Python, Go, Dockerfiles, docker-compose YAML.
Output formats: text, json, sarif, csv.
Sources: README.md57-59 README.md142-170
python-sdk/)The codepathfinder package (python-sdk/codepathfinder/__init__.py1-48) provides a declarative DSL for writing security rules. The public API consists of:
| Symbol | Role |
|---|---|
@rule | Decorator that marks a function as a security rule and attaches metadata |
calls() | Matcher for function call sites, supports wildcards |
variable() | Matcher for variable usages |
flows() | Defines source-to-sink dataflow rules |
propagates | Propagation primitives for assignment, return, args |
And, Or, Not | Logic combinators for composing matchers |
Rules are compiled to a JSON intermediate representation (IR) and executed by the Go engine's RuleLoader. See page 4 for full rule authoring details.
Sources: python-sdk/codepathfinder/__init__.py1-48 python-sdk/README.md43-56
packages/secureflow-cli/)The @codepathfinder/secureflow-cli npm package (extension/secureflow/packages/secureflow-cli/package.json1-59) is a shared TypeScript library that implements both the standalone secureflow binary and the core logic used by the VS Code extension.
Key classes:
| Class | Location | Role |
|---|---|---|
AIClientFactory | secureflow-cli | Selects and instantiates the correct AI provider client |
WorkspaceAnalyzer | secureflow-cli | Detects project stack and builds ApplicationProfile |
CLIFullScanCommand | secureflow-cli | Orchestrates iterative LLM-driven analysis |
AnalyticsService | secureflow-cli | PostHog telemetry (shared between CLI and extension) |
DefectDojoClient | secureflow-cli | Submits findings to DefectDojo |
Standalone commands:
| Command | Description |
|---|---|
secureflow scan | AI-driven security analysis with iterative file requests |
secureflow profile | Project technology stack detection |
secureflow config | Manage ~/.secureflow/config.json |
secureflow analytics | Analytics management |
Sources: extension/secureflow/packages/secureflow-cli/package.json1-59 extension/secureflow/packages/secureflow-cli/README.md72-120
extension/secureflow/)The VS Code extension is activated at startup and wires together commands, analytics, error reporting, and the Svelte-based webview sidebar. The entry point is activate() in extension/secureflow/src/extension.ts24-103
Activation order in activate():
SentryService.getInstance() — initialize error reportingAnalyticsService.getInstance() — initialize PostHog analyticsSecureFlowExplorer.register(context) — register the Svelte webview sidebarWorkspaceProfilerCommand — register workspace profiling commandregisterAnalyzeSelectionCommand — register Ctrl+L code selection analysisregisterSecureFlowReviewCommand — register git changes reviewContributed VS Code commands:
| Command ID | Title |
|---|---|
secureflow.analyzeSelection | Analyze Selected Code for Security Issues |
secureflow.reviewChanges | Review Git Changes for Security Issues |
secureflow.profileWorkspace | Profile Workspace for Security Analysis |
Sources: extension/secureflow/src/extension.ts1-135 extension/secureflow/package.json188-205
sast-engine/mcp/)The pathfinder serve command starts a Model Context Protocol server. It indexes the project in the background and exposes a JSON-RPC 2.0 interface for AI coding assistants (Claude Code, Cline, Cursor).
Transport options: stdio (default) or HTTP.
Exposed tools:
| Tool | Description |
|---|---|
get_index_info | Project statistics and indexing status |
find_symbol | Search symbols by name |
find_module | Python module lookup |
list_modules | List all indexed modules |
get_callers | Reverse call graph traversal |
get_callees | Forward call graph traversal |
get_call_details | Call site information |
resolve_import | Import path resolution |
find_dockerfile_instructions | Dockerfile instruction search |
find_compose_services | Docker Compose service search |
get_dockerfile_details | Dockerfile node details |
get_docker_dependencies | Inter-service dependency traversal |
The server.json at the repository root is the MCP registry manifest consumed by MCP-compatible clients.
Sources: server.json1-44 README.md31-32 sast-engine/mcp/types_test.go1-50
pathfinder scan execution sequence:
Sources: README.md57-59 README.md142-170
Build and distribution pipeline — workflows to channels:
Platform coverage:
| Platform | Architectures |
|---|---|
| Linux | x86_64 (amd64), aarch64 (arm64) |
| macOS | Apple Silicon (arm64), Intel (x86_64) |
| Windows | x86_64 (amd64) |
| Docker | amd64 + arm64 multi-arch |
Each binary build embeds Version and GitCommit via Go -ldflags as seen in Dockerfile19 The Docker image is built on cgr.dev/chainguard/go and installs codepathfinder via pip so that Python DSL rules can execute inside the container.
Sources: Dockerfile1-44 README.md76-140 .github/workflows/homebrew-update.yml1-22
The AIClientFactory class in @codepathfinder/secureflow-cli is the single integration point for all AI providers. Both the standalone secureflow binary and the VS Code extension delegate to this shared factory.
AIClientFactory provider dispatch — code entities to providers:
Provider configuration:
| Provider | Key setting (secureflow.Provider) | API key env var |
|---|---|---|
| Anthropic | anthropic | ANTHROPIC_API_KEY |
| OpenAI | openai | OPENAI_API_KEY |
google | GOOGLE_API_KEY | |
| xAI | xai | XAI_API_KEY |
| Ollama | ollama | none |
| OpenRouter | openrouter | OPENROUTER_API_KEY |
VS Code configuration is read by SettingsManager; CLI configuration is stored in ~/.secureflow/config.json. See page 2.3 for full provider and model documentation.
Sources: extension/secureflow/package.json100-125 extension/secureflow/src/services/analytics.ts1-95 extension/secureflow/packages/secureflow-cli/README.md40-57
Code Pathfinder integrates into CI/CD pipelines via the shivasurya/code-pathfinder GitHub Action (implemented as a composite action using pip install codepathfinder).
Action inputs:
| Input | Default | Description |
|---|---|---|
rules | — | Path to local Python DSL rule file or directory |
ruleset | — | Remote ruleset IDs, e.g., python/deserialization, docker/security |
project | . | Source directory to scan |
output | sarif | Output format: sarif, json, csv, text |
output-file | pathfinder-results.sarif | Output file path |
fail-on | — | Severity threshold: critical, high, medium, low |
verbose | false | Enable verbose progress output |
debug | false | Enable debug diagnostics |
skip-tests | true | Skip test_*.py / *_test.py files |
refresh-rules | false | Bypass local rule cache |
disable-metrics | false | Disable anonymous usage metrics |
python-version | 3.12 | Python version to use |
Available remote rulesets (fetched from Cloudflare R2):
| Ruleset ID | Coverage |
|---|---|
python/deserialization | Unsafe pickle.loads RCE |
python/django | Django SQL injection patterns |
python/flask | Flask security misconfigurations |
docker/security | Critical/high Dockerfile issues |
docker/best-practice | Dockerfile optimization |
docker/performance | Container image performance |
Sources: README.md172-254
Python DSL rule — @rule decorator, calls(), flows() — compiled to JSON IR, executed by Go engine:
Sources: python-sdk/codepathfinder/__init__.py27-33 python-sdk/README.md39-55 README.md243-254
| Scenario | Entry Point | Use Case |
|---|---|---|
| In-editor security | VS Code extension (extension.ts activate()) | Analyze code selection, review git diffs |
| CLI scan | pathfinder scan | Custom rules, local analysis, SARIF/JSON/CSV output |
| AI-powered scan | secureflow scan (CLIFullScanCommand) | Iterative LLM-driven vulnerability detection |
| CI/CD pipeline | shivasurya/code-pathfinder GitHub Action | Automated gates, SARIF upload to GitHub Advanced Security |
| AI coding assistant | pathfinder serve (MCP server) | Code intelligence for Claude Code, Cline, Cursor |
| Container/isolated | shivasurya/code-pathfinder Docker image | Sandboxed analysis environment |
| Vulnerability management | DefectDojoClient in secureflow scan | Push findings to DefectDojo |
Sources: README.md29-54 extension/secureflow/packages/secureflow-cli/README.md86-103
| Component | Language / Framework | Key Dependencies | Purpose |
|---|---|---|---|
sast-engine/ | Go | tree-sitter, cobra | Core static analysis binary |
python-sdk/ | Python 3.8+ (stdlib only) | none | Rule authoring DSL |
packages/secureflow-cli/ | Node.js / TypeScript | commander, colorette, posthog-node, @openrouter/sdk | Shared AI client + CLI binary |
extension/secureflow/ | TypeScript, Svelte | @sentry/node, webpack | VS Code extension + webview |
| Parsers | tree-sitter (C bindings) | language-specific grammars | AST generation |
| CDN | Cloudflare R2 | — | Rule bundles, stdlib registries |
| Analytics | PostHog (posthog-node) | — | Anonymous usage telemetry |
| Error reporting | Sentry (@sentry/node) | — | Extension crash reporting |
Sources: python-sdk/pyproject.toml1-43 extension/secureflow/packages/secureflow-cli/package.json19-23 extension/secureflow/package.json269-298
Code Pathfinder is licensed under AGPL-3.0 (GNU Affero General Public License v3). This copyleft license ensures that:
Refresh this wiki
This wiki was recently refreshed. Please wait 6 days to refresh again.