What's Changed

• feat: subscript taint propagation for dataflow analysis (GAP-012) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/622
• feat: deep call chain resolution for VDG taint analysis (GAP-004) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/623
• refactor: remove dead hasAccess field and O(n²) post-processing loop by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/624
• feat: add Dockerfile.mcp for Docker MCP Catalog listing by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/625
• fix: enable analytics by default in Dockerfile.mcp by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/626
• chore: bump version to 2.0.2 across all components by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/627
• fix: resolve 6 GHAS dependency vulnerabilities in secureflow extension by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/628

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v2.0.1...v2.0.2

What's Changed

• fix: resolve module-level classmethod aliases in stdlib type inference by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/616
• feat: deep attribute chain resolution (3+ levels) for self.attr patterns by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/617
• feat: resolve stdlib call: attribute placeholders via CDN registry by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/618
• feat: attribute access as taint source for dataflow analysis (GAP-006) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/620

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v2.0.0...v2.0.1

v2.0.0 — Cross-File Dataflow Analysis 🚀

Code Pathfinder v2.0.0 is here. Cross-file taint analysis with custom rules written in Python. Define sources, sinks, and sanitizers — the engine traces data flows across files and function boundaries automatically. The biggest engine upgrade since the project started.

📖 Full announcement blog post

🔬 Cross-File Taint Analysis

• Variable Dependency Graph (VDG) with inter-procedural taint transfer summaries
• scope="global" — one flag to enable cross-file dataflow in any rule
  • Source in app.py, sink in db.py — detected automatically

🧠 QueryType Engine

• Type-constrained matching — match cursor.execute() only on actual sqlite3.Cursor instances
• .tracks(N) — filter to specific argument positions
• Typeshed integration — resolve inherited methods and third-party types via CDN

🛡️ 190 Security Rules

• 158 Python + 37 Docker + 10 Docker Compose. Rule Registry

⚡ CI/CD

• GitHub Action with PR summary comments, inline review annotations, and diff-aware scanning.

📜 AGPL-3.0 → Apache-2.0

More permissive license. Added CLA for contributors.

---

Give it a try

  brew install shivasurya/tap/pathfinder
  pathfinder scan --ruleset python/all --project .

What's Changed

• fix(docs): Add supported programming languages section to README by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/545
• chore(go): Apply go fix ./... automated cleanup by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/550
• chore(deps-dev): bump svelte from 4.2.20 to 5.53.0 in /extension/secureflow in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/547
• feat(go): Add Go stdlib registry data structures and types (PR-01) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/546
• feat(go): Add Go stdlib extraction tool for registry generation (PR-02) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/548
• feat(go): Add Go stdlib remote registry loader with lazy caching (PR-03) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/549
• feat(go): Add Go stdlib R2 publishing pipeline (PR-04) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/551
• feat(go): Add Go version detection and stdlib loader init (PR-05) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/552
• feat(go): Wire stdlib loader into builder pipeline (PR-06) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/553
• feat(go): Resolve stdlib return types in variable extraction (PR-07) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/554
• feat(go): Close stdlib type inference gap in GetReturnType (PR-07b) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/555
• feat(go): Add stdlib metadata to MCP call graph tool responses (PR-08) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/556
• feat(go): Replace hardcoded stdlib set with GoImportResolver struct (PR-09) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/557
• fix(ci): fix Go stdlib R2 upload workflow (GOROOT capture + build tag conflict) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/559
• chore(deps-dev): bump minimatch from 3.1.2 to 3.1.4 in /extension/secureflow in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/558
• feat(mcp): add MCP Registry listing support by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/560

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v1.3.6...v1.3.7

v1.3.6 - 2026-02-16

🎉 Major Features

Full Go Language Support

<img src="https://cdn.jsdelivr.net/gh/devicons/devicon@latest/icons/go/go-original-wordmark.svg" height=50 width=50 />

Complete implementation of Go static analysis capabilities

• Core Parsing (#520-525): File detection, AST parsing, function/method declarations, type definitions, variables, constants, calls, closures, and control flow statements
• Advanced Analysis (#526-530): Module registry, import resolution, call graph construction, scan/CI pipeline integration, security rules, and MCP server support
• Type Tracking (#536-540): Phase 2 type tracking with return type extraction, variable assignment tracking, and method call resolution via variable types
• Performance (#541-542): Parallel call graph building with progress tracking and background indexing to prevent MCP client timeouts

Docker Analysis Support

<img src="https://cdn.jsdelivr.net/gh/devicons/devicon@latest/icons/docker/docker-original-wordmark.svg" height=50 width=50 />

New MCP tools for Docker security analysis:

• Basic Docker MCP support (#531)
• Semantic Docker query tools (#534)
• Docker dependency graph mapping (#535)

GitHub Actions Security Scanner

<img src="https://cdn.jsdelivr.net/gh/devicons/devicon@latest/icons/githubactions/githubactions-original.svg" height=50 width=50 />

• Automated security scanning workflow with PR summary reports
• Inline code comments for security findings
• Integration with SARIF output for GitHub Advanced Security

🚀 Improvements

Python SAST Enhancements

<img src="https://cdn.jsdelivr.net/gh/devicons/devicon@latest/icons/python/python-original-wordmark.svg" height=50 width=50 />

• Populate ReturnType and MethodArgumentsType for Python functions (#513)
• Add inferred type information to module variables in find_symbol (#514)
• Expose parameter types as standalone symbols (#518)
• Populate inferred return types and detect void functions (#519)

Performance Optimizations

• Parallel call graph building with progress tracking (#541)
• Background indexing to prevent MCP client timeout (#542)

🐛 Bug Fixes

• Python SAST: Fix module variable reassignment contamination and var: placeholder leaking (#515)
• SARIF: Fix SARIF upload failing with empty artifact locations (#517)
• Rules: Make ZIP creation deterministic to prevent checksum mismatches (#532)
• CI: Add Cloudflare cache purging to rules deployment workflow (#533)

📦 Dependencies

• Upgrade Go to 1.26.0 and update dependencies (#516)

📝 Full Changelog

View all 31 pull requests

Contributors: @shivasurya