Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
Code Pathfinder is an open-source SAST and code analysis suite. Its main selling points are cross-file data-flow analysis, type-aware scanning, and code graph tracing. The examples on the site show it tracing a Flask route parameter all the way to a SQL sink in another file, helping detect real vulnerabilities such as SQL injection. It also provides a rule registry, a Python SDK for custom rules, and an MCP Server for AI assistants.
In terms of protection coverage, it supports static application security testing, Docker/Docker Compose configuration security checks, and claims to provide AI-based noise filtering across SAST, SCA, and secrets scanning. Its rule library mentions 190+ rules covering scenarios such as OWASP Top 10, CVEs, Flask, Django, Spring, and Docker. The homepage also highlights Go v2.1.0 support, 21 Go security rules, and faster scanning. For management and alerts, it supports a security dashboard, severity levels, trends, SARIF/JSON/CSV/DefectDojo outputs, GitHub Security uploads, PR summary comments, and inline annotations for high and critical issues.
Deployment is flexible: it can be installed via Homebrew, pip, Chocolatey, Docker, prebuilt binaries, or built from source. CI/CD integrations cover GitHub Actions, GitLab CI, Azure DevOps, Bitbucket, Jenkins, CircleCI, Buildkite, and TeamCity, with support for fail-on as a security gate. Pricing information indicates that it is free and open source under the Apache-2.0 License; no commercial edition, SLA, or enterprise subscription pricing was found.
Its strengths are that it is easy to get started with, open source, and CI-friendly. Cross-file taint tracking and in-PR feedback can also reduce context-switching costs for developers. Custom rules and the rule registry are useful for teams that want to codify internal standards. Limitations include the lack of disclosed information around compliance certifications, enterprise-grade permissions, centralized governance, SLA, data privacy, and how AI models process data. The project text also notes that it is still at an early stage, so stability and language coverage need to be validated before large-scale production adoption.
It is suitable for development, DevSecOps, and open-source project teams that want to introduce SAST into the PR/CI stage at relatively low cost, especially for Python, Go, and Docker/Docker Compose scenarios. There is no evidence in the text regarding access from China, so its status is rated as unknown; payment methods are also not disclosed. If mature commercial support or local procurement is required, alternatives to compare include Semgrep, CodeQL, SonarQube, Snyk Code, Checkmarx, Fortify, or domestic code security scanning platforms.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on codepathfinder.dev official site.
codepathfinder.dev is an Unknown Security (Open Source Sast) provider. TG4G tracks its product information, an overall rating of 8.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach codepathfinder.dev directly.