Key takeaways
- AI-native static code analysis — AST-based call graphs, structural search, and vulnerability detection with MCP server mode for AI coding assistants
- Three modes: scan (security analysis with custom rules), serve (MCP server for Claude Code/Cline), and ci (GitHub Actions/CI pipelines)
- Security-focused differentiator in the code intelligence space — finds vulnerabilities, not just dependencies
- 111 stars, Go, AGPL-3.0. The security-oriented alternative in the code intelligence category
FAQ
What is CodePathFinder?
An AI-native static code analysis tool for security teams. Uses AST-based call graphs for vulnerability detection and structural search. Runs as a CLI scanner, MCP server for AI assistants, or in CI/CD pipelines.
How does it differ from GitNexus?
GitNexus focuses on developer productivity (blast radius, refactoring). CodePathFinder focuses on security (vulnerability detection, custom rules, CI integration). Different use cases.
Overview
CodePathFinder is an AI-native static code analysis tool built for security teams. It uses AST-based indexing to build call graphs, then enables structural search and vulnerability detection. The MCP server mode lets AI coding assistants (Claude Code, Cline) access security-aware code analysis.
Three operational modes: scan for security analysis with custom rules, serve as an MCP server for AI assistants, and ci for GitHub Actions and CI/CD pipelines.
Key stats: 111 stars, Go, AGPL-3.0. Created November 2023.
Competitive Position
Strengths: Security-focused (unique in category). Go implementation (fast). CI/CD integration. MCP server mode.
Weaknesses: Small community. AGPL license limits commercial use. Narrower scope than general code intelligence tools.
Research by Ry Walker Research