🐳 Code Pathfinder v1.1.1 - Container Security Edition

We're excited to announce Code Pathfinder v1.1.1, a massive release that introduces comprehensive Docker and container security analysis capabilities! This release adds 47 security rules, a powerful Python DSL for writing custom rules, and native Dockerfile/docker-compose parsing.

🚀 Major Features

Complete Docker Security Analysis

Code Pathfinder now supports deep security analysis of containerized applications with:

• Native Dockerfile Parsing - Full tree-sitter based parsing of all 18 Dockerfile instructions
• Docker Compose Support - Parse and analyze docker-compose.yml files with security-focused queries
• 47 Built-in Security Rules - Comprehensive coverage of OWASP Docker Security, CIS Docker Benchmark, and industry best practices

Python DSL for Container Rules

Write expressive security rules using our new Python DSL:

@rule(
    id="DOCKER-SEC-001",
    severity="high",
    message="Running container as root"
)
def check_root_user(dockerfile):
    return dockerfile.user == "root"

Features include:

• Fluent API for querying Dockerfile instructions
• Built-in helpers for common security patterns
• Support for complex multi-instruction analysis
• Easy integration with CI/CD pipelines

Security Rule Categories

The 47 rules cover critical security areas:

• Privilege Escalation - Detect containers running as root, excessive capabilities
• Secret Management - Find hardcoded credentials, API keys in images
• Network Security - Identify exposed ports, insecure protocols
• Supply Chain - Check for unverified base images, outdated dependencies
• Best Practices - Health checks, multi-stage builds, layer optimization

🎯 Use Cases

DevSecOps Teams: Integrate container security scanning into your CI/CD pipelines Security Auditors: Quickly identify security misconfigurations across hundreds of Dockerfiles Platform Engineers: Enforce organizational security policies for containerized workloads Developers: Get immediate feedback on container security issues during development

📊 By The Numbers

• 🔒 47 security rules covering Docker & docker-compose
• 📝 18 Dockerfile instructions fully supported
• 🐍 Python DSL for custom rule authoring
• 🎯 3 severity levels (high, medium, low) for risk prioritization

🔧 Getting Started

Scan Your Dockerfiles

Install

npm install -g codepathfinder

Scan a project

pathfinder scan --project ./my-app ----rules /path/to/rules

Check rules here https://github.com/shivasurya/code-pathfinder/tree/main/rules

What's Changed

• chore(python-dsl): Release v1.1.0 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/405
• chore: Remove nsjail testing scripts from root directory by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/406
• feat: Add Cloudflare R2 stdlib registry upload + bump to v1.0.0 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/407
• fix: Remove AWS credentials action, install AWS CLI directly for R2 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/408
• fix: Allow msilib and nis modules to fail gracefully by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/409
• chore: Remove outdated docs/ and pathfinder-rules/ directories by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/410
• chore: Move R2_SETUP.md and SANDBOX.md to knowledge base by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/411
• chore: Remove GitHub Container Registry build to save CI time by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/412
• refactor: Migrate test fixtures to sourcecode-parser/test-fixtures by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/413
• refactor: Rename sourcecode-parser to sast-engine (v1.1.0) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/414

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v0.0.34...v1.1.0

What's Changed

• chore: fix package-lock.json file by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/321
• cpf/enhancement: Add core data structures for call graph by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/322
• cp/enhancement: Implement module registry - Pass 1 of 3-pass algorithm by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/323
• cpf/enhancement: Implement import extraction with tree-sitter by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/324
• cpf/enhancement: Implement relative import resolution by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/325
• cpf/enhancement: Implement call site extraction from AST by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/326
• cpf/enhancement: Implement call graph builder - Pass 3 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/327
• cpf/enhancement: Create CFG data structures for control flow analysis by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/328
• cpf/enhancement: Add pattern registry with hardcoded code injection example by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/329
• cpf/enhancement: Add Callgraph Integration into parsing pipeline by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/330
• cpf/enhancement: Django ORM Pattern Resolution by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/333
• feat(callgraph): Python Type Inference for Improved Call Resolution by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/334
• feat(callgraph): Phase 2 - Complete Type Inference with Inter-Procedural Propagation by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/335
• feat(callgraph): Task 12 - Self Attribute Tracking & Method Chaining by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/336
• feat(stdlib): Add generic Python 3.14 stdlib registry generator by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/337
• feat(callgraph): Add local stdlib registry loader with resolution by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/338
• fix(callgraph): Add fallback stdlib check for direct module imports by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/339
• feat(callgraph): Add remote stdlib registry with lazy loading by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/340
• fix(tools): Allow platform-specific module failures in registry generation by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/341
• feat(observability): Add stdlib registry metrics and regression tests by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/342
• feat(dataflow): Add core data structures for intra-procedural taint analysis by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/343
• feat(callgraph): Add Python statement extraction for intra-procedural dataflow by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/344
• feat(callgraph): Add def-use chain construction (PR #3) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/345
• feat(taint): Implement intra-procedural taint propagation by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/346
• feat(callgraph): Integrate taint analysis into call graph builder by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/347
• Fix intra-procedural vulnerability detection by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/348
• feat(diagnostic): Add function extraction for diagnostic system by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/349
• feat(diagnostic): Add LLM integration for pattern discovery by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/350
• feat(diagnostic): Add tool comparison with normalization by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/351
• fix(ci): Install codepathfinder 1.0.0 for Python DSL tests by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/362
• feat(go): Remove ANTLR/expr-lang query system by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/352
• feat(python): Add core matchers (calls, variable) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/353
• feat(python): Add dataflow analysis with Phase 1 propagation by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/354
• feat(python): Add Phase 2 propagation and presets by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/355
• feat(python): Add logic operators (And, Or, Not) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/356
• feat(go): Add call_matcher executor by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/357
• feat(go): Add variable_matcher executor by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/358
• feat(go): Add dataflow integration for taint analysis by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/359
• feat(go): Add DSL rule loader and OWASP Top 10 examples by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/360
• feat(cli): Implement scan, query, and ci commands with Python DSL integration by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/361
• build(deps): bump astro from 5.14.4 to 5.15.6 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/366
• feat(models): Add GPT-5.1 model support by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/367
• build(deps): bump the npm_and_yarn group across 2 directories with 1 update by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/368
• chore: Release version 0.0.16 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/369
• fix: TypeScript type annotations in generated model config by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/370
• chore: Release version 0.0.17 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/371
• refactor: create core package with foundation types by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/372
• refactor: create registry, cfg, and resolution packages by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/373
• refactor(callgraph): Create analysis/taint, extraction packages and complete registry by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/374
• refactor(callgraph): Create resolution package and complete extraction package (PR #4) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/375
• refactor(callgraph): Move advanced resolution to resolution package (PR #5) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/376
• refactor: Create patterns package for pattern detection (PR #6) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/377
• refactor: Extract builder logic to builder/ package (#7) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/378
• refactor: Remove all type aliases and wrapper functions from callgraph package by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/379
• feat(docs): Enhance blog post typography and reading experience by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/380
• feat(blog): Add MyClone chat widget to blog posts by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/381
• build(deps): bump glob from 10.4.5 to 10.5.0 in /extension/secureflow in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/382
• build(deps): bump astro from 5.15.6 to 5.15.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/383
• PR #1: DSL IR Extension & Keyword Argument Parsing by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/384
• PR #2: Implement Keyword Argument Matching Logic by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/385
• PR #3: Add Python DSL API for Argument Matching by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/386
• PR #4: Add Positional Argument Matching Support by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/387
• PR #5: Add Advanced Argument Matching Features by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/388
• PR #6: Add Tuple Indexing for Nested Argument Matching by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/389
• PR #7: Fix Critical Bugs in Argument Matching by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/390
• PR #1: Data Structures & Enrichment Layer by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/391
• PR #2: Structured Logging System by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/392
• PR #3: Text Formatter for Scan Command by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/393
• PR #4: Add JSON and CSV Output Formatters for CI Mode by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/394
• PR #5: Enhanced SARIF Formatter with Code Flows by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/395
• PR #6: Exit Code Standardization & --fail-on Flag by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/396
• PR #7: Command Cleanup & Documentation by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/397
• enhancement(docs): Improve landing page experience by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/398
• enhancement(docker): Add Python runtime with nsjail sandboxing by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/399
• enhancement(dsl): Integrate nsjail sandbox for Python DSL execution by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/400
• feat(release): add macOS Intel and Linux ARM64 builds by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/401
• feat(release): Add Homebrew tap update trigger by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/402
• fix(release): Trigger Homebrew update on publish + v0.0.34 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/403

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v0.0.33...v0.0.34

🚀 Recent Highlights — CodePathfinder

We’ve landed three notable updates to boost developer experience and performance:

• Performance Monitoring & Memory Improvements: PR #316 Sharper performance monitoring tools plus reduced memory usage.

• Golang Version Upgrade: PR #311 Migration to the latest Go for improved reliability and compatibility.

• Python 3 Language Support: PR #314 You can now scan and analyze Python 3 code, broadening language coverage for source code analysis.

🌟 Introducing SecureFlow — Next-Gen AI Security Scanning

Take your code security audit to the next level with our new solutions:

• SecureFlow Extension: Code securely inside VSCode with AI-driven insights. Read more

• SecureFlow CLI: Hunt vulnerabilities in your projects with CLI-powered AI analysis. Details in blog

We’re taking baby steps toward making AI-native security scanning the foundation for future software. Stay tuned—more is coming!

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v0.0.32...v0.0.33

What's Changed

• feature: 🍺 Support for AssertStmt Node statement by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/179
• feature: Support for ReturnStmt statement by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/180
• fix docker command by @opstoken in https://github.com/shivasurya/code-pathfinder/pull/182
• feature: 🍺 Support for BlockStmt statement by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/181
• doc: refresh documentation for latest statement support by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/183
• chore: update seo title by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/184
• doc: Update the documentation to include BreakStmt, LabeledStmt, YieldStmt and etc by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/185
• chore: fix title tag issue by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/186
• Bump nanoid from 3.3.7 to 3.3.8 in /docs in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/188
• Bump astro from 4.16.3 to 4.16.18 in /docs in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/189
• chore(upgrade): Bump golang dependencies and version by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/192
• Bump vite from 5.4.11 to 5.4.14 in /docs in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/193
• feature: :beer: Class with inheritance support by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/187
• blog: add closure table blog post 📰 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/196
• chore: Update Website Navigation and Messaging by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/197
• build(deps): bump the npm_and_yarn group across 1 directory with 3 updates by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/198
• feat: New Pathfinder Rules page (atlas) for docs by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/200
• chore: updated package-lock.json by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/201
• chore: added rollup optional dep by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/202
• chore: fix link in footer by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/203
• build(deps): bump prismjs from 1.29.0 to 1.30.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/204
• feature: Code-Pathfinder online hosted sandbox playground by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/205
• build(deps): bump @babel/runtime from 7.26.9 to 7.26.10 in /docs in the npm_and_yarn group across 1 directory by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/206
• build(deps): bump the go_modules group across 2 directories with 1 update by @dependabot in https://github.com/shivasurya/code-pathfinder/pull/208
• release: bump version to 0.0.32 by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/209

New Contributors

• @opstoken made their first contribution in https://github.com/shivasurya/code-pathfinder/pull/182 🎉

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v0.0.31...v0.0.32