First class support for GoLang

🚀 v2.1.0 release support Go language data flow analysis, supports 21+ rules & new sdk docs.

Read more about in blog: Code Pathfinder now speaks Go

What's Changed

<summary> Bunch of Go language support PRs, ruleset, docs are merged. Check it out expanding details below. </summary> <details> * feat: add Go statement extractor for dataflow analysis by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/630 * feat: add GenerateGoTaintSummaries + MergeCallGraphs dataflow merge by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/631 * feat: add Go CFG builder + language dispatcher by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/632 * feat: Approach C — stdlib method resolution + type inference fields by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/633 * feat: type enrichment — resolve variable names to type FQNs by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/634 * feat: TypeConstrainedAttribute for Statements + DataflowIR.Language by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/635 * feat: Python SDK — @go_rule decorator + Go QueryType classes by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/636 * feat: fix parameter resolution + statement scanning in call executor by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/637 * feat: add built-in taint transparent function summaries by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/638 * feat: struct embedding resolution + CallSite.Arguments population by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/639 * feat: closure flattening + type assertion taint propagation by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/640 * feat(go): third-party type resolution from vendor/GOMODCACHE by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/641 * feat(go): eager scope creation + parameter-aware RHS inference by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/642 * feat(go): package-level var Source 3 + StdlibLoader embed resolution by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/643 * feat: Go third-party QueryType classes + GORM SQLi & Gin SSRF rules by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/644 * feat: Go resolution statistics in resolution-report command by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/645 * feat: GoThirdPartyRegistryRemote CDN loader with manifest-first lazy loading by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/646 * feat: CDN registry generator for Go third-party packages by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/647 * feat: GoThirdPartyCombinedLoader — CDN-first + local fallback routing by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/648 * feat(cache): delta-based incremental SQLite analysis cache for Go by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/649 * feat: updatecheck foundation package (PR-01 of 5) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/651 * feat: CLI integration for version update check by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/652 * feat: MCP server integration for version update check (PR-03) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/653 * feat: analytics reach measurement for update notices (PR-04) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/654 * feat: release/latest.json manifest and publish workflow by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/655 * fix: correct R2 bucket name and install AWS CLI in publish-manifest by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/656 * feat(rules/golang): add 22 Go security rules with verified metadata and L1 precision by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/657 * refactor(sdk): move go/container decorators to codepathfinder package + rename Python DSL → SDK by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/658 * chore: bump version to 2.1.0 across all components by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/659 * feat(python-sdk): SDK metadata + CDN-indexed stubs for Go and Python classes by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/661 </details>

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v2.0.2...v2.1.0

What's Changed

• feat: subscript taint propagation for dataflow analysis (GAP-012) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/622
• feat: deep call chain resolution for VDG taint analysis (GAP-004) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/623
• refactor: remove dead hasAccess field and O(n²) post-processing loop by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/624
• feat: add Dockerfile.mcp for Docker MCP Catalog listing by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/625
• fix: enable analytics by default in Dockerfile.mcp by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/626
• chore: bump version to 2.0.2 across all components by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/627
• fix: resolve 6 GHAS dependency vulnerabilities in secureflow extension by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/628

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v2.0.1...v2.0.2

What's Changed

• fix: resolve module-level classmethod aliases in stdlib type inference by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/616
• feat: deep attribute chain resolution (3+ levels) for self.attr patterns by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/617
• feat: resolve stdlib call: attribute placeholders via CDN registry by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/618
• feat: attribute access as taint source for dataflow analysis (GAP-006) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/620

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v2.0.0...v2.0.1

v2.0.0 — Cross-File Dataflow Analysis 🚀

Code Pathfinder v2.0.0 is here. Cross-file taint analysis with custom rules written in Python. Define sources, sinks, and sanitizers — the engine traces data flows across files and function boundaries automatically. The biggest engine upgrade since the project started.

📖 Full announcement blog post

🔬 Cross-File Taint Analysis

• Variable Dependency Graph (VDG) with inter-procedural taint transfer summaries
• scope="global" — one flag to enable cross-file dataflow in any rule
  • Source in app.py, sink in db.py — detected automatically

🧠 QueryType Engine

• Type-constrained matching — match cursor.execute() only on actual sqlite3.Cursor instances
• .tracks(N) — filter to specific argument positions
• Typeshed integration — resolve inherited methods and third-party types via CDN

🛡️ 190 Security Rules

• 158 Python + 37 Docker + 10 Docker Compose. Rule Registry

⚡ CI/CD

• GitHub Action with PR summary comments, inline review annotations, and diff-aware scanning.

📜 AGPL-3.0 → Apache-2.0

More permissive license. Added CLA for contributors.

---

Give it a try

  brew install shivasurya/tap/pathfinder
  pathfinder scan --ruleset python/all --project .

What's Changed

• fix(docs): Add supported programming languages section to README by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/545
• chore(go): Apply go fix ./... automated cleanup by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/550
• chore(deps-dev): bump svelte from 4.2.20 to 5.53.0 in /extension/secureflow in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/547
• feat(go): Add Go stdlib registry data structures and types (PR-01) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/546
• feat(go): Add Go stdlib extraction tool for registry generation (PR-02) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/548
• feat(go): Add Go stdlib remote registry loader with lazy caching (PR-03) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/549
• feat(go): Add Go stdlib R2 publishing pipeline (PR-04) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/551
• feat(go): Add Go version detection and stdlib loader init (PR-05) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/552
• feat(go): Wire stdlib loader into builder pipeline (PR-06) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/553
• feat(go): Resolve stdlib return types in variable extraction (PR-07) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/554
• feat(go): Close stdlib type inference gap in GetReturnType (PR-07b) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/555
• feat(go): Add stdlib metadata to MCP call graph tool responses (PR-08) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/556
• feat(go): Replace hardcoded stdlib set with GoImportResolver struct (PR-09) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/557
• fix(ci): fix Go stdlib R2 upload workflow (GOROOT capture + build tag conflict) by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/559
• chore(deps-dev): bump minimatch from 3.1.2 to 3.1.4 in /extension/secureflow in the npm_and_yarn group across 1 directory by @dependabot[bot] in https://github.com/shivasurya/code-pathfinder/pull/558
• feat(mcp): add MCP Registry listing support by @shivasurya in https://github.com/shivasurya/code-pathfinder/pull/560

Full Changelog: https://github.com/shivasurya/code-pathfinder/compare/v1.3.6...v1.3.7