Cross-file dataflow analysis. Type-aware. Open source SAST that cuts through the noise and finds real vulnerabilities.
brew install shivasurya/tap/pathfindermacOS & Linux • v2.1.0
Supported languages
Get findings you feel confident bringing to developers across SAST, SCA, and Secrets scanning. Filter out the false positives that traditional tools always flag with contextual, AI-powered noise filtering.
Read our guide on reducing false positivesAutomatically hide likely false positives from developers. Present findings and fixes to developers in their native workflows with structural search, call graphs, and source-to-sink tracing.
Explore security rules and code graph analysisSee findings in your editor, pull requests, and CI pipelines with a single configuration. Export SARIF and DefectDojo reports with severity mapping for smooth triage and tracking.
Lightning-fast scans with AI precision that actually catches vulnerabilities.
Protect your code with an ever-growing set of security rules covering OWASP Top 10, CVEs, and framework-specific vulnerabilities.
apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB.
Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation.
marshal.loads() and marshal.load() are not secure against erroneous or malicious data and should not be used to deserialize untrusted input.
User-controlled input flows into GORM Raw() or Exec() raw SQL methods without parameterization — GORM's ORM safety guarantees do not apply to Raw/Exec with string concatenation.
WORKDIR should use absolute paths starting with /.
Service mounts Docker socket. The owner of this socket is root. Giving container access to it is equivalent to giving unrestricted root access to host.
Query your codebase with natural language through Claude Code, Codex, OpenCode, or Windsurf. Get instant answers about function calls, dependencies, and code structure without leaving your editor.
Focus on real vulnerabilities with AI-powered precision that cuts through the noise of traditional security scanners.