Code Pathfinder
编码与调试by shivasurya
面向 Python/Go 的代码智能 MCP server,提供调用图、类型推断与符号搜索能力。
想快速摸清 Python/Go 项目结构与调用关系,Code Pathfinder 用调用图、类型推断和符号搜索把代码理解与排障效率拉高一截。
什么是 Code Pathfinder?
面向 Python/Go 的代码智能 MCP server,提供调用图、类型推断与符号搜索能力。
README
Website · Docs · Rule Registry · MCP Server · Blog
Quick Start
Install:
brew install shivasurya/tap/pathfinder
Scan a Python project (rules download automatically):
pathfinder scan --ruleset python/all --project .
Scan Dockerfiles:
pathfinder scan --ruleset docker/all --project .
No config files, no API keys, no cloud accounts. Results in your terminal in seconds.
<!-- TODO: Add demo video/GIF here -->
What is Code Pathfinder?
Code Pathfinder is an open-source static analysis engine that builds a graph of your codebase and traces how data flows through it. It parses source code into Abstract Syntax Trees, constructs call graphs across files, and runs taint analysis to find source-to-sink vulnerabilities that span multiple files and function boundaries.
v2.0 introduces cross-file dataflow analysis: trace user input from an HTTP handler in one file through helper functions and into a SQL query in another file. This is the kind of analysis that pattern-matching tools miss entirely.
Cross-File Taint Analysis
Most open-source SAST tools operate on single files. Code Pathfinder v2.0 tracks tainted data across file boundaries:
app.py:5 user_input = request.get("query") ← Source: user-controlled input
↓ calls
db.py:12 cursor.execute(query) ← Sink: SQL execution
The engine builds a Variable Dependency Graph (VDG) per function, then connects them through inter-procedural taint transfer summaries. When user_input flows into a function parameter in another file, the taint propagates through the call graph to the sink.
How It Works
Source Code → Tree-sitter AST → Call Graph → Variable Dependency Graph → Taint Analysis → Findings
↓
Inter-procedural
Taint Summaries
(cross-file flows)
- Parse: Tree-sitter builds ASTs for Python, Dockerfiles, and Docker Compose files
- Index: Extract functions, call sites, parameters, and assignments into a queryable call graph
- Analyze: Build VDGs per function, resolve inter-procedural flows, run taint analysis
- Detect: Python-based security rules query the graph to find source-to-sink paths
- Report: Output findings as text, JSON, SARIF (GitHub Code Scanning), or CSV
190 Security Rules, Ready to Use
Rules download from CDN automatically. No need to clone the repo or manage rule files.
| Language | Bundles | Rules | Coverage |
|---|---|---|---|
| Python | django, flask, aws_lambda, cryptography, jwt, lang, deserialization, pyramid | 158 | SQL injection, RCE, SSRF, path traversal, XSS, deserialization, crypto misuse, JWT vulnerabilities |
| Docker | security, best-practice, performance | 37 | Root user, exposed secrets, image pinning, multi-stage builds, layer optimization |
| Docker Compose | security, networking | 10 | Privileged mode, socket exposure, capability escalation, network isolation |
# Scan with a specific bundle
pathfinder scan --ruleset python/django --project .
# Scan with multiple bundles
pathfinder scan --ruleset python/flask --ruleset python/jwt --project .
# Scan a single rule
pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-001 --project .
# Scan all rules for a language
pathfinder scan --ruleset python/all --project .
Browse all rules with examples and test cases at the Rule Registry.
MCP Server for AI Coding Assistants
Code Pathfinder runs as an MCP server, giving Claude Code, Cursor, Cline, and other AI assistants access to call graphs, data flows, and security analysis. More context than LSP, focused on security and code structure.
pathfinder serve --project .
The MCP server exposes tools for querying the code graph: find callers/callees, trace data flows, search for patterns, and run security rules — all available to the AI assistant during code review or development.
Write Custom Rules
Security rules are Python scripts using the PathFinder SDK. Define sources, sinks, and sanitizers — the dataflow engine handles the analysis.
Here's a real rule from the repo (PYTHON-DJANGO-SEC-001) that detects SQL injection in Django:
from codepathfinder import calls, flows, QueryType
from codepathfinder.presets import PropagationPresets
class DBCursor(QueryType):
fqns = ["sqlite3.Cursor", "psycopg2.extensions.cursor"]
match_subclasses = True
@python_rule(
id="PYTHON-DJANGO-SEC-001",
name="Django SQL Injection via cursor.execute()",
severity="CRITICAL",
cwe="CWE-89",
)
def detect_django_cursor_sqli():
return flows(
from_sources=[
calls("request.GET.get"),
calls("request.POST.get"),
],
to_sinks=[
DBCursor.method("execute").tracks(0),
calls("cursor.execute"),
],
sanitized_by=[calls("escape"), calls("escape_string")],
propagates_through=PropagationPresets.standard(),
scope="global", # cross-file taint analysis
)
# Run your custom rules
pathfinder scan --rules ./my_rules/ --project .
Explore all 190 rules in the rules/ directory or browse the Rule Registry. See the rule writing guide and dataflow documentation to write your own.
See the rule writing guide and dataflow documentation for more.
Installation
Homebrew (Recommended)
brew install shivasurya/tap/pathfinder
pip
Installs the CLI binary and Python SDK for writing rules.
pip install codepathfinder
Docker
docker pull shivasurya/code-pathfinder:stable-latest
docker run --rm -v "$(pwd):/src" \
shivasurya/code-pathfinder:stable-latest \
scan --ruleset python/all --project /src
Pre-Built Binaries
Download from GitHub Releases for Linux (amd64, arm64), macOS (Intel, Apple Silicon), and Windows (x64).
From Source
git clone https://github.com/shivasurya/code-pathfinder
cd code-pathfinder/sast-engine
gradle buildGo
./build/go/pathfinder --help
Usage
# Scan with text output (default)
pathfinder scan --ruleset python/all --project .
# JSON output
pathfinder scan --ruleset python/all --project . --output json --output-file results.json
# SARIF output (GitHub Code Scanning)
pathfinder scan --ruleset python/all --project . --output sarif --output-file results.sarif
# CSV output
pathfinder scan --ruleset python/all --project . --output csv --output-file results.csv
# Fail CI on critical/high findings
pathfinder scan --ruleset python/all --project . --fail-on=critical,high
# MCP server mode
pathfinder serve --project .
# Verbose output with statistics
pathfinder scan --ruleset python/all --project . --verbose
GitHub Action
name: Code Pathfinder Security SAST Scan
on:
pull_request:
permissions:
security-events: write
contents: read
pull-requests: write
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run Security Scan
uses: shivasurya/code-pathfinder@v2.0.2
with:
ruleset: python/all, docker/all, docker-compose/all
verbose: true
pr-comment: ${{ github.event_name == 'pull_request' }}
pr-inline: ${{ github.event_name == 'pull_request' }}
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: pathfinder-results.sarif
See the full example: .github/workflows/code-pathfinder-scan.yml
| Input | Description | Default |
|---|---|---|
rules | Path to local Python rule files or directory | - |
ruleset | Remote ruleset(s), comma-separated (e.g., python/all, docker/security) | - |
project | Path to source code | . |
output | Output format: sarif, json, or csv | sarif |
output-file | Output file path | pathfinder-results.sarif |
fail-on | Fail on severities (e.g., critical,high) | - |
verbose | Enable verbose output | false |
debug | Enable debug diagnostics with timestamps | false |
skip-tests | Skip test files | true |
refresh-rules | Force refresh cached rulesets | false |
disable-metrics | Disable anonymous usage metrics | false |
python-version | Python version to use | 3.12 |
pr-comment | Post summary comment on pull request | false |
pr-inline | Post inline review comments for critical/high findings | false |
github-token | GitHub token (required when pr-comment or pr-inline is enabled) | - |
no-diff | Disable diff-aware scanning (scan all files) | false |
Either rules or ruleset is required.
Supported Languages
| Language | Analysis | Status |
|---|---|---|
| Python | Cross-file dataflow, taint analysis, call graphs | Stable |
| Dockerfile | Instruction analysis, security patterns | Stable |
| Docker Compose | Configuration analysis, security patterns | Stable |
| Go | AST analysis, call graphs | Coming soon |
Contributing
Contributions are welcome. Read the Contributing Guide for setup instructions, how to run tests locally, and the PR process.
All contributors must sign the Contributor License Agreement (CLA) before any pull request can be merged.
License
常见问题
Code Pathfinder 是什么?
面向 Python/Go 的代码智能 MCP server,提供调用图、类型推断与符号搜索能力。
相关 Skills
前端设计
by anthropics
面向组件、页面、海报和 Web 应用开发,按鲜明视觉方向生成可直接落地的前端代码与高质感 UI,适合做 landing page、Dashboard 或美化现有界面,避开千篇一律的 AI 审美。
✎ 想把页面做得既能上线又有设计感,就用前端设计:组件到整站都能产出,难得的是能避开千篇一律的 AI 味。
网页构建器
by anthropics
面向复杂 claude.ai HTML artifact 开发,快速初始化 React + Tailwind CSS + shadcn/ui 项目并打包为单文件 HTML,适合需要状态管理、路由或多组件交互的页面。
✎ 在 claude.ai 里做复杂网页 Artifact 很省心,多组件、状态和路由都能顺手搭起来,React、Tailwind 与 shadcn/ui 组合效率高、成品也更精致。
网页应用测试
by anthropics
用 Playwright 为本地 Web 应用编写自动化测试,支持启动开发服务器、校验前端交互、排查 UI 异常、抓取截图与浏览器日志,适合调试动态页面和回归验证。
✎ 借助 Playwright 一站式验证本地 Web 应用前端功能,调 UI 时还能同步查看日志和截图,定位问题更快。
相关 MCP Server
GitHub
编辑精选by GitHub
GitHub 是 MCP 官方参考服务器,让 Claude 直接读写你的代码仓库和 Issues。
✎ 这个参考服务器解决了开发者想让 AI 安全访问 GitHub 数据的问题,适合需要自动化代码审查或 Issue 管理的团队。但注意它只是参考实现,生产环境得自己加固安全。
Context7 文档查询
编辑精选by Context7
Context7 是实时拉取最新文档和代码示例的智能助手,让你告别过时资料。
✎ 它能解决开发者查找文档时信息滞后的问题,特别适合快速上手新库或跟进更新。不过,依赖外部源可能导致偶尔的数据延迟,建议结合官方文档使用。
by tldraw
tldraw 是让 AI 助手直接在无限画布上绘图和协作的 MCP 服务器。
✎ 这解决了 AI 只能输出文本、无法视觉化协作的痛点——想象让 Claude 帮你画流程图或白板讨论。最适合需要快速原型设计或头脑风暴的开发者。不过,目前它只是个基础连接器,你得自己搭建画布应用才能发挥全部潜力。