← Back to research
·3 min read·company

CodePathFinder

CodePathFinder — open-source cross-file SAST with inter-file taint analysis, AST call graphs, and an MCP server for AI coding assistants. 137 stars, Go, Apache-2.0 (relicensed from AGPL). v2.1.x adds Go scanning and PR comments.

https://codepathfinder.dev
coding-agentscode-intelligencesecuritymcpopen-sourcegogithub

Key takeaways

  • Open-source cross-file SAST — inter-file taint analysis, AST-based call graphs, and structural search, with an MCP server mode for AI coding assistants (Claude Code, Cursor, Cline)
  • Relicensed from AGPL-3.0 to Apache-2.0 — removes the commercial-use objection that previously limited adoption
  • v2.1.x (April 2026) added Go language scanning with 21 security rules and 6.6x faster scans; rule registry now totals 211 rules covering OWASP Top 10 and CVEs
  • SecureFlow AI layer (13+ LLMs) triages findings to cut false positives; GitHub Action posts PR summary comments and inline SARIF findings
  • 137 stars, Go, actively developed (pushed June 2026). Still the security-oriented alternative in the code intelligence category, but community remains small

FAQ

What is CodePathFinder?

An open-source static application security testing (SAST) tool that builds AST-based call graphs and runs inter-file taint analysis to find source-to-sink vulnerabilities across file boundaries. Runs as a CLI scanner, an MCP server for AI assistants, or in CI/CD pipelines with SARIF export and PR comments.

What languages does it support?

Go (added in v2.1.0 with 21 security rules), Python, Docker, and Docker Compose, with C/C++ listed as coming soon. The rule registry totals 211 rules covering OWASP Top 10, CVEs, and framework-specific issues.

Is it free for commercial use?

Yes. The project relicensed from AGPL-3.0 to Apache-2.0, and no paid tier is advertised — it positions itself as a free, open-source alternative to commercial SAST.

How does it differ from GitNexus?

GitNexus focuses on developer productivity (blast radius, refactoring). CodePathFinder focuses on security (taint analysis, vulnerability rules, CI integration). Different use cases.

Overview

CodePathFinder is an open-source cross-file SAST tool written in Go. It parses source code into ASTs, constructs call graphs across files, and runs inter-file taint analysis to find source-to-sink vulnerabilities that span function and file boundaries — positioning itself as type-aware scanning that minimizes false positives.

Three operational modes: scan for security analysis with custom rules, serve as an MCP server giving Claude Code, Cursor, and Cline access to call graphs and data flows, and ci for GitHub Actions pipelines with SARIF export and automated PR summary comments plus inline findings.

Key stats (as of June 2026): 137 stars, Go, Apache-2.0. Created November 2023, actively developed — last push June 3, 2026; latest release v2.1.1 (April 25, 2026).

What Changed Since March 2026

  • License: AGPL-3.0 → Apache-2.0. The repo now carries an Apache-2.0 license, removing the commercial-use friction we previously flagged as a weakness.
  • v2.1.0/v2.1.1 (April 2026): Go language scanning landed with 21 security rules and a claimed 6.6x scan speedup; the site advertises a 10s median CI scan time.
  • Rule registry at 211 rules covering OWASP Top 10, CVEs, and framework-specific vulnerabilities, across Go, Python, Docker, and Docker Compose (C/C++ "coming soon").
  • SecureFlow AI: an LLM triage layer supporting 13+ models (Claude, GPT, Gemini, Grok) that uses codebase context to suppress false positives — the site claims 98% fewer false positives.
  • GitHub PR integration: the GitHub Action now posts security scan results as PR summary comments and inline review annotations.

Pricing

Free and open source. No paid tier, cloud account, or API key is required for the core scanner; no pricing page exists on the site as of June 2026. SecureFlow's LLM-backed triage uses model APIs you configure.

Competitive Position

Strengths: Security-focused (still unique in the code intelligence category). Apache-2.0 license. Fast Go implementation with sub-minute CI scans. MCP server mode for AI assistants. PR-native findings with SARIF.

Weaknesses: Small community (137 stars, single primary maintainer). Narrow language coverage (Go, Python, Docker) versus established SAST like Semgrep or CodeQL. Marketing claims (98% fewer false positives, 6.6x faster) are self-reported and unverified by third parties.

Cautions

  • Single-maintainer project — development is dominated by one author (shivasurya); bus factor risk for security tooling you depend on in CI.
  • Self-reported benchmarks — the false-positive and speed claims come from the project's own site, with no independent evaluation we could find.
  • Limited language support — no JavaScript/TypeScript or Java scanning yet, which excludes most web application codebases.

What Developers Say

No substantive third-party developer commentary found — searches of Hacker News, Reddit, and the project's GitHub Discussions as of June 2026 surfaced no attributable user reviews or testimonials. Community validation remains the open question for this tool.

Bottom Line

Recommended (with reservations) for security-minded Go/Python teams who want a free, fast, CI-native SAST with MCP integration for AI coding agents — the Apache-2.0 relicense and v2.1 release cadence show real momentum. Not recommended as a primary SAST for polyglot codebases until JavaScript/TypeScript and Java support land, or for teams needing vendor support.

Outlook: Active and improving. The license change plus AI-triage angle (SecureFlow, MCP) give it a credible wedge against heavyweight SAST incumbents, but at 137 stars it must convert AI-assistant users into a real community to survive.

Research by Ry Walker Research

Sources

Share on XShare on LinkedIn