We watch code so you don't have to.

Most code is not your code. A request handler calls a framework, the framework calls the stdlib, the stdlib calls into the OS. By the time a value reaches a vulnerable sink, it has crossed two or three boundaries that other scanners treat as black boxes. They go blind, and the chain quietly drops.

Pathfinder doesn't. We model user-land code, third-party libraries, and system-library behavior as one connected graph and follow the dataflow through all three. The same engine that traces request.params -> exec inside your service knows how a popular ORM's query() returns tainted strings, how os.path.join propagates them, and where the chain finally hits something that runs them.

The rule language is a real SDK. You write models, sources, sanitizers, and sinks in Python or Go, plug them into the engine, and they compose with everything else in the registry.

The engine and the rule library are open source: shivasurya/code-pathfinder.

codepathfinder.dev · Docs · Rule registry · SDK · Blog