/pathfinder.

Trace vulnerabilities
across your entire codebase.

Open source. Finds the bugs grep can't catch.

Shivasurya · @sshivasurya

Building /pathfinder. · prev. Security @ Dropbox & Sourcegraph

DEVTOOLS TORONTO #7 · TORONTO TECH WEEK 2026

01 / 07

/p.

The idea

Code is queryable.

Write a question as a rule. Get a precise answer in seconds.

Python SDK reference → codepathfinder.dev/sdk

A question rules/flask_sqli.py

                @python_rule
                python
              

@python_rule(id="PYTHON-FLASK-SEC-001", severity="CRITICAL")
def flask_sqli():
  return flows(
    from_sources=[FlaskRequest.method("args.get")],
    to_sinks=[DBCursor.method("execute").tracks(0)],
    sanitized_by=[calls("escape")],
    scope="global",
  )

The answer pathfinder scan

                scan output
                shell
              

[CRIT] PYTHON-FLASK-SEC-001
       cross-file taint  ·  0.9s

  app/views.py:12   request.args.get("name")
  helpers.py:8      lookup_user(name)
  helpers.py:14     fetch_user(name)
  db.py:6           cursor.execute(query)

# 1 finding · 3 files · global taint

211 rules live in the registry today. Bring your own — or run ours on every PR.

02 / 07

/p.

The reality

You can't build CI on a coin flip.

Ask Claude or Cursor to trace a multi-hop call chain. Sometimes it nails it. Sometimes it misses a one-liner. Same prompt, different runs, different answers. Fine for exploration — not OK for a security gate.

Agent traces it itself · same prompt, two runs NON-DETERMINISTIC

# Run 1 — "who calls validate_user?"
12 callers, all real:
  ✓ app/api.py:82  login_endpoint
  ✓ app/api.py:145 register_endpoint
  ... 10 more, nails it

# Run 2 — same prompt, 5 min later
10 callers:
  ✓ app/api.py:82
  ✗ app/api.py:145 # missed
  ... 8 more, 2 silently dropped

⚠ Different answer each run ⚠ Can't gate CI

Agent calls Pathfinder MCP · every run DETERMINISTIC

# pathfinder.get_callers("validate_user")
12 callers, exact file:line
  ✓ app/api.py:82  login_endpoint
  ✓ app/api.py:145 register_endpoint
  ✓ app/middleware.py:34
  ✓ app/cli.py:18  login_command
  ... 8 more, identical every run

✓ Same answer, every time ✓ < 100ms ✓ CI-safe

03 / 07

/p.

Two capabilities

One engine. Two ways to find bugs.

Finding new vulnerabilities

Trace dataflow through code you've never seen. Discover bugs nobody has reported yet.

RULE Go Py C C++ Dk

Variant analysis at scale

Encode a known bug as a rule. Scan thousands of repos. Find every place the same pattern survives.

/pathfinder. One engine. Both capabilities. Apache-2.0.

04 / 07

/p.

Proof

It finds real bugs in real code.

Severity	Advisory	Project
CRIT	grpc authz bypass · C/C++ variant	`grpc/grpc`
HIGH	Knowledge Bases API path traversal	`langflow-ai/langflow`
HIGH	File component tar bypass	`langflow-ai/langflow`
HIGH	Arbitrary file write	`apache/superset`
	more findings in active research — disclosures rolling out monthly

PROVEN security findings on real, named codebases

05 / 07

/p.

LIVE TODAY FOR TEAMS

Three ways in.

The same engine. The Langflow rule you just saw runs on your code in any of these.

Cloud

Sign in, connect your org, scan in 2 minutes.

Hosted online · sandboxed every run · nothing to install.

dashboard.codepathfinder.dev

Run it yourself

pip install codepathfinder

CLI, engine, MCP server — all Apache-2.0.

Private infra?

oss@shivasurya.me

Self-hosted runners in your network. Code stays put.

Scans GoGo PyPython CC C++C++ DkDocker config

06 / 07

/p.

/pathfinder.

Thanks.

Questions?

dashboard.codepathfinder.dev
codepathfinder.dev · @sshivasurya

↑ Scan codepathfinder.dev

07 / 07

Trace vulnerabilities across your entire codebase.