An open-source security suite aiming to combine structural code analysis with AI-powered vulnerability detection.
Code Pathfinder is designed to bridge the gap between traditional static analysis tools and modern AI-assisted security review. While mature tools excel at pattern matching and complex queries, Code Pathfinder focuses on making security analysis more accessible, leveraging large language models to understand context and identify nuanced vulnerabilities, and integrated throughout the development lifecycle.
- Real-time IDE integration - Bringing security insights directly into your editor as you code
- AI-assisted analysis - Leveraging large language models to understand context and identify nuanced vulnerabilities
- Unified workflow coverage - From local development to pull requests to CI/CD pipelines
- Flexible reporting - Supporting DefectDojo, GitHub Advanced Security, SARIF, and other platforms
Built for security engineers and developers who want an extensible, open-source alternative that's evolving with modern development practices. Here are the initiatives:
- Code-Pathfinder CLI - Basic security analysis scanner better than grep
- Secureflow CLI - Claude-Code for security analysis powered by large language models with better context engineering
- Secureflow VSCode Extension - IDE integration for security analysis powered by large language models with better context engineering
$ secureflow scan ./path/to/projectdocker run --rm -v "./src:/src" shivasurya/code-pathfinder:stable-latest ci --project /src/code-pathfinder/test-src --ruleset cpf/java$ docker pull shivasurya/code-pathfinder:stable-latest$ npm install -g @codepathfinder/secureflow-cli
$ secureflow scan --help$ npm install -g codepathfinder
$ pathfinder --helpDownload the latest release from GitHub releases and choose the binary that matches your operating system.
$ chmod u+x pathfinder
$ pathfinder --helpRead the official documentation, or run pathfinder --help.
- Graph-based structural queries
- Source Sink Analysis
- Data Flow Analysis with Control Flow Graph
$ cd sourcecode-parser
$ gradle buildGo (or) npm install -g codepathfinder
$ ./pathfinder query --project <path_to_project> --stdin
2024/06/30 21:35:29 Graph built successfully
Path-Finder Query Console:
>FROM method_declaration AS md
WHERE md.getName() == "getPaneChanges"
SELECT md, "query for pane changes layout methods"
Executing query: FROM method_declaration AS md WHERE md.getName() == "getPaneChanges"
βββββ¬βββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββ¬βββββββββββββββββββββ¬βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β # β FILE β LINE NUMBER β TYPE β NAME β CODE SNIPPET β
βββββΌβββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββββββββΌβββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 1 β /Users/shiva/src/code-pathfinder/test-sr β 148 β method_declaration β getPaneChanges β protected void getPaneChanges() throws ClassCastException { β
β β c/android/app/src/main/java/com/ivb/udac β β β β mTwoPane = findViewById(R.id.movie_detail_container) β
β β ity/movieListActivity.java β β β β != null; β
β β β β β β } β
βββββ΄βββββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββ΄βββββββββββββββββββββ΄βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Path-Finder Query Console:
>:quit
Okay, Bye!Code Pathfinder uses tree-sitter for all language parsers.