Security scanning without the noise

Code Pathfinder eliminates false positives and surfaces real security issues so developers can focus on building features instead of triaging alerts.

Install Now GitHub

Get started in seconds

Choose your preferred installation method

brew install shivasurya/tap/pathfinder

macOS & Linux • v0.0.34+

Developers trust findings from Code Pathfinder

SecureFlow AI

Say goodbye to false positives

Get findings you feel confident bringing to developers across SAST, SCA, and Secrets scanning. Filter out the false positives that traditional tools always flag with contextual, AI-powered noise filtering.

Read our guide on reducing false positives

Security Dashboard

Critical

-100%

High

-90%

Medium

No change

Vulnerability Trend (Last 30 days)

Jan 1Jan 30

api/views.py

1from django.db import connection

3def get_user(user_id):

4cursor = connection.cursor()

5query = f"SELECT * FROM users WHERE id = {user_id}"

6cursor.execute(query)

7return cursor.fetchone()

SQL Injection (CWE-89)

User input flows to SQL execution without sanitization

Code Graph Analysis

Eliminate developer friction

Automatically hide likely false positives from developers. Present findings and fixes to developers in their native workflows with structural search, call graphs, and source-to-sink tracing.

Explore security rules and code graph analysis

CI/CD Integration

Easily operationalize and scale

See findings in your editor, pull requests, and CI pipelines with a single configuration. Export SARIF and DefectDojo reports with severity mapping for smooth triage and tracking.

View CI/CD integration documentation

.github/workflows/security.yml

name: Security Scan

on: [push, pull_request]

jobs:

security:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v6

- name: Run Code Pathfinder

run: |

npm install -g codepathfinder

pathfinder ci --project . --ruleset cpf/python

Build passing

0 vulnerabilities

Performance that doesn't compromise security

Lightning-fast scans with AI precision that actually catches vulnerabilities.

98%

Fewer false positives with AI filtering

10s

Median CI scan time

12+

AI models supported

Security rules that grow with threats

Protect your code with an ever-growing set of security rules covering OWASP Top 10, CVEs, and framework-specific vulnerabilities.

Django SQL Injection

critical

Detects SQL injection where user input flows to cursor.execute() without proper parameterization

djangosql-injectiondatabase+1

2024-10-20Python

apk add Without --no-cache

low

Detects RUN instructions using Alpine Linux's apk add command without the --no-cache flag, which unnecessarily increases Docker image size by 2-5 MB.

dockeralpineimage-size+2

2024-12-19Docker

Dangerous Capability Added

high

Detects services that add dangerous Linux capabilities like SYS_ADMIN, SYS_MODULE, or SYS_PTRACE which can be used for container escape or privilege escalation.

docker-composesecuritycapabilities+2

2024-12-19Docker Compose

Flask Debug Mode in Production

high

Detects Flask applications running with debug mode enabled which can expose sensitive information

flaskconfigurationinformation-disclosure+1

2024-10-15Python

Docker Socket Mounted as Volume

critical

Detects VOLUME instructions that mount the Docker socket, giving a container full control over the host's Docker daemon, equivalent to unrestricted root access.

dockersecurityprivilege-escalation+2

2024-12-19Docker

Docker Socket Exposed to Container

critical

Detects services that mount the Docker socket, giving the container full control over the Docker daemon, equivalent to unrestricted root access to the host.

docker-composesecuritydocker-socket+3

2024-12-19Docker Compose

View all security rules

Build secure software without drowning in alerts

Focus on real vulnerabilities with AI-powered precision that cuts through the noise of traditional security scanners.

Watch Demo Video Explore documentation