New: SecureFlow AI for security teams

Security scanning without the noise

Code Pathfinder eliminates false positives and surfaces real security issues so developers can focus on building features instead of triaging alerts.

Install NowGitHub

Get started in seconds

Choose your preferred installation method

brew install shivasurya/tap/pathfinder

macOS & Linux • v0.0.34+

Developers trust findings from Code Pathfinder

SecureFlow AI

Say goodbye to false positives

Get findings you feel confident bringing to developers across SAST, SCA, and Secrets scanning. Filter out the false positives that traditional tools always flag with contextual, AI-powered noise filtering.

Read our guide on reducing false positives
Security Dashboard
Critical
0
-100%
High
2
-90%
Medium
5
No change
Vulnerability Trend (Last 30 days)
Jan 1Jan 30
api/views.py
1from django.db import connection
2
3def get_user(user_id):
4cursor = connection.cursor()
5query = f"SELECT * FROM users WHERE id = {user_id}"
6cursor.execute(query)
7return cursor.fetchone()
SQL Injection (CWE-89)
User input flows to SQL execution without sanitization
Code Graph Analysis

Eliminate developer friction

Automatically hide likely false positives from developers. Present findings and fixes to developers in their native workflows with structural search, call graphs, and source-to-sink tracing.

Explore security rules and code graph analysis
CI/CD Integration

Easily operationalize and scale

See findings in your editor, pull requests, and CI pipelines with a single configuration. Export SARIF and DefectDojo reports with severity mapping for smooth triage and tracking.

View CI/CD integration documentation
.github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Run Code Pathfinder
run: |
npm install -g codepathfinder
pathfinder ci --project . --ruleset cpf/python
Build passing
0 vulnerabilities

Ship faster, ship securely

Shift left without the developer productivity tax.

98%
Fewer false positives with AI filtering
10s
Median CI scan time
12+
AI models supported

Security rules that grow with threats

Protect your code with an ever-growing set of security rules covering OWASP Top 10, CVEs, and framework-specific vulnerabilities.

Django SQL Injection

critical

Detects SQL injection where user input flows to cursor.execute() without proper parameterization

djangosql-injectiondatabase+1
2024-10-20Python

Flask Debug Mode in Production

high

Detects Flask applications running with debug mode enabled which can expose sensitive information

flaskconfigurationinformation-disclosure+1
2024-10-15Python

Unsafe Pickle Deserialization

critical

Detects unsafe pickle deserialization where untrusted data flows to pickle.loads() leading to RCE

deserializationpicklerce+1
2024-09-28Python
View all security rules

Shift left without the developer productivity tax

Ship faster and more securely with AI-powered security analysis that eliminates false positives.

Watch Demo VideoExplore documentation