Cross-file dataflow analysis. Type-aware. Open source SAST that cuts through the noise and finds real vulnerabilities.
Choose your preferred installation method
brew install shivasurya/tap/pathfindermacOS & Linux • v2.0.0
Get findings you feel confident bringing to developers across SAST, SCA, and Secrets scanning. Filter out the false positives that traditional tools always flag with contextual, AI-powered noise filtering.
Read our guide on reducing false positivesAutomatically hide likely false positives from developers. Present findings and fixes to developers in their native workflows with structural search, call graphs, and source-to-sink tracing.
Explore security rules and code graph analysisSee findings in your editor, pull requests, and CI pipelines with a single configuration. Export SARIF and DefectDojo reports with severity mapping for smooth triage and tracking.
View GitHub Actions integration →New: PR summary comments & inline security findings →Lightning-fast scans with AI precision that actually catches vulnerabilities.
Protect your code with an ever-growing set of security rules covering OWASP Top 10, CVEs, and framework-specific vulnerabilities.
Exposing port below 1024 typically requires root privileges to bind. Consider using non-privileged ports (>1024) with port mapping or granting CAP_NET_BIND_SERVICE capability.
Service is running in privileged mode. This grants container equivalent of root capabilities on the host machine. Can lead to container escapes and privilege escalation.
Lambda event data is used in SQL string construction via f-strings or concatenation before being passed to a database execute call, enabling SQL injection.
WORKDIR should use absolute paths starting with /.
Service has label:disable in security_opt, which disables SELinux mandatory access control. This removes an important defense-in-depth layer for container isolation.
os.spawn*() spawns a new process and can execute arbitrary programs when the executable path or arguments are derived from untrusted input.
Query your codebase with natural language through Claude Code, Codex, OpenCode, or Windsurf. Get instant answers about function calls, dependencies, and code structure without leaving your editor.
Focus on real vulnerabilities with AI-powered precision that cuts through the noise of traditional security scanners.