Code Pathfinder | Open Source Cross-File Static Code Analysis & SAST

> For complete documentation, see: https://codepathfinder.dev/llms-full.txt # Code Pathfinder > Open-source static analysis tool for finding security vulnerabilities in code. Features a Python SDK for writing custom rules, call graph analysis, MCP server integration, and AI-powered security scanning via SecureFlow. ## What is Code Pathfinder? Code Pathfinder is an open-source SAST (Static Application Security Testing) tool. It identifies vulnerabilities in source code through structural search, call graph analysis, and source-to-sink data flow tracking. It uses tree-sitter for fast AST parsing and provides a Python SDK for writing custom security rules that compile to a high-performance Go executor. ## Installation Code Pathfinder can be installed via Homebrew, pip, Docker, pre-built binaries, or from source. Homebrew (macOS/Linux): brew install shivasurya/tap/pathfinder pip (Python): pip install codepathfinder Docker: docker pull shivasurya/code-pathfinder:stable-latest Pre-built binaries are available on GitHub releases. Building from source requires Gradle and GoLang. ## CLI Commands The main CLI binary is `pathfinder`. Available commands: - `pathfinder scan` - Scan a project for vulnerabilities with a ruleset - `pathfinder ci` - Scan in CI mode with ruleset - `pathfinder serve` - Start MCP server for AI assistant integration - `pathfinder version` - Print version and commit info - `pathfinder completion` - Generate shell autocompletion Common flags: - `--project <path>` - Project directory to analyze - `--output <format>` - Output format (json, sarif, csv, text) - `--output-file <path>` - Write results to file - `--ruleset <rules>` - Specify rulesets to use (e.g., cpf/java, python/deserialization) - `--disable-metrics` - Disable anonymous metrics collection ## Python SDK for Security Rules Write security detection rules in Python that compile to a JSON IR and execute on the Go engine: from codepathfinder import rule, calls @rule(id="da