# Code Pathfinder — Full Documentation > This is the expanded version of llms.txt. For a summary, see: https://codepathfinder.dev/llms.txt --- > For complete documentation, see: https://codepathfinder.dev/llms-full.txt # Code Pathfinder > Open-source static analysis tool for finding security vulnerabilities in code. Features a Python SDK for writing custom rules, call graph analysis, MCP server integration, and AI-powered security scanning via SecureFlow. ## What is Code Pathfinder? Code Pathfinder is an open-source SAST (Static Application Security Testing) tool. It identifies vulnerabilities in source code through structural search, call graph analysis, and source-to-sink data flow tracking. It uses tree-sitter for fast AST parsing and provides a Python SDK for writing custom security rules that compile to a high-performance Go executor. ## Installation Code Pathfinder can be installed via Homebrew, pip, Docker, pre-built binaries, or from source. Homebrew (macOS/Linux): brew install shivasurya/tap/pathfinder pip (Python): pip install codepathfinder Docker: docker pull shivasurya/code-pathfinder:stable-latest Pre-built binaries are available on GitHub releases. Building from source requires Gradle and GoLang. ## CLI Commands The main CLI binary is `pathfinder`. Available commands: - `pathfinder scan` - Scan a project for vulnerabilities with a ruleset - `pathfinder ci` - Scan in CI mode with ruleset - `pathfinder serve` - Start MCP server for AI assistant integration - `pathfinder version` - Print version and commit info - `pathfinder completion` - Generate shell autocompletion Common flags: - `--project ` - Project directory to analyze - `--output ` - Output format (json, sarif, csv, text) - `--output-file ` - Write results to file - `--ruleset ` - Specify rulesets to use (e.g., cpf/java, python/deserialization) - `--disable-metrics` - Disable anonymous metrics collection ## Python SDK for Security Rules Write security detection rules in Python that compile to a JSON IR and execute on the Go engine: from codepathfinder import rule, calls @rule(id="dangerous-eval", severity="critical", cwe="CWE-94") def detect_eval(): return calls("eval") Key Python SDK features: - `calls("func")` - Match function calls. Supports wildcards: `calls("*.execute")`, `calls("subprocess.*")` - `variable("*PASSWORD*")` - Match variable name patterns - `Or(...)`, `And(...)`, `Not(...)` - Combine patterns - `match_name={"password": "*"}` - Match named arguments - `match_position={1: "*"}` - Match positional arguments - `flows(from_sources=..., to_sinks=..., sanitized_by=...)` - Dataflow / taint tracking Rules are run with: `pathfinder scan --rules my_rules.py --project /path/to/code` ## Core Features - Basic Query Support: Structural search for specific code patterns - Call Graph Analysis: Analyze method calls and data flow between methods - Source-Sink Analysis: Track untrusted data to detect OWASP Top 10 vulnerabilities (SQL injection, XSS, command injection, deserialization, etc.) - Python SDK: Write custom security rules in Python with an intuitive API - Three-Tier Architecture: Python SDK -> JSON IR -> Go Executor - Multiple Output Formats: SARIF, JSON, CSV, text - SARIF Integration: Upload results to GitHub Advanced Security - DefectDojo Integration: Security tracking and engagement management ## Language Support Current rule registry coverage: - Python (deserialization, Django, Flask rules) - Docker (container security rules) - Docker-Compose (orchestration security rules) - Java (CQL queries, call graph analysis - primary language for the core engine) ## Security Rules Registry Pre-built security rules are available at codepathfinder.dev/registry, organized by language and category. Python rulesets: - python/deserialization - Unsafe pickle deserialization (RCE) - python/django - Django SQL injection patterns - python/flask - Flask security misconfigurations Docker rulesets: - docker/security - Critical container security issues - docker/best-practice - Dockerfile optimization - docker/performance - Container image performance Each rule includes: severity level (CRITICAL/HIGH/MEDIUM/LOW/INFO), CWE/CVE identifiers, vulnerability descriptions, example vulnerable and secure code, and the Python SDK query for detection. ## SecureFlow AI AI-powered security analysis available as a VS Code extension and CLI tool. Uses LLMs to perform context-aware security scanning with reduced false positives. Supported AI models (200+ via OpenRouter): - Anthropic Claude (Claude 4.5 Sonnet, Opus, Haiku) - OpenAI (GPT-5) - Google Gemini (Gemini 3 Pro) - xAI (Grok 4) - OpenRouter (200+ models with one API key) Features: - Intelligent file discovery with iterative AI analysis - OWASP Top 10 vulnerability scanning - Project profiling and tech stack detection - Multiple output formats (text, JSON, DefectDojo) - BYOK (Bring Your Own Key) - no private code sent to external servers Install options: - VS Code Extension: codepathfinder.secureflow on VS Marketplace - Open VSX: For Windsurf, Cursor, and other editors - CLI: npm i -g @codepathfinder/secureflow-cli ## MCP Server (Model Context Protocol) Code Pathfinder implements an MCP server that exposes codebase structure and call graphs to AI assistants. Currently supports Python projects. Start the server: `pathfinder serve --project /path/to/project` Compatible AI assistants: Claude Code, Open Code, Codex, Windsurf 6 MCP tools available: 1. get_index_info - Project statistics and indexing status 2. find_symbol - Locate functions/classes by name with fuzzy matching 3. get_callers - Reverse call graph (who calls this function) 4. get_callees - Forward call graph (what does this function call) 5. get_call_details - Granular call site information between two functions 6. resolve_import - Map Python imports to file locations Transport modes: stdio (default, local) and HTTP (optional, port 8080 for team/remote access) Officially listed on the MCP Registry: https://registry.modelcontextprotocol.io/?q=pathfinder ## CI/CD Integration Integrates with major CI/CD platforms: - GitHub Actions: `shivasurya/code-pathfinder@v1.2.0` with SARIF upload and PR comments - GitLab CI: Docker-based scanning - Azure DevOps: Docker-based scanning - BitBucket Pipelines: Docker-based scanning - CircleCI: Docker-based scanning GitHub Action supports: custom rulesets, fail-on severity threshold, skip-tests, multiple output formats, verbose/debug modes, and PR security comment annotations (no GHAS subscription required). ## Documentation Structure - `/docs/quickstart` - Installation and setup guide - `/docs/secureflow` - SecureFlow AI product page - `/docs/github-action` - GitHub Actions integration - `/docs/gitlab-ci` - GitLab CI integration - `/docs/azure-devops` - Azure DevOps integration - `/docs/changelog` - Version history - `/docs/rules` - Writing security rules with Python SDK - `/docs/rules/getting-started` - First rule in 5 minutes - `/docs/rules/matchers` - Pattern matching (calls, variable, wildcards) - `/docs/rules/arguments` - Argument matching to reduce false positives - `/docs/rules/dataflow` - Taint tracking for injection vulnerabilities - `/docs/rules/examples` - OWASP Top 10 rule examples - `/docs/mcp/getting-started` - MCP server setup guide - `/docs/mcp/tools-reference` - 6 MCP tools API reference - `/docs/mcp/configuration` - Advanced MCP configuration - `/registry` - Pre-built security rules library - `/blog` - Security engineering articles ## Blog Topics The blog covers security engineering topics including: open-source CodeQL alternatives, Android WebView misconfiguration detection, GitHub PR security comments integration, SecureFlow CLI and VS Code extension, MCP server for code intelligence, OpenRouter integration for 200+ AI models, reducing SAST false positives, and understanding library interactions for data flow tracking. ## Resources - Website: https://codepathfinder.dev - GitHub: https://github.com/shivasurya/code-pathfinder - Documentation: https://codepathfinder.dev/docs/quickstart - Rule Registry: https://codepathfinder.dev/registry - VS Code Extension: https://marketplace.visualstudio.com/items?itemName=codepathfinder.secureflow - Open VSX: https://open-vsx.org/extension/codepathfinder/secureflow - GitHub Action: shivasurya/code-pathfinder@v1.2.0 - MCP Registry: https://registry.modelcontextprotocol.io/?q=pathfinder - Docker Hub: shivasurya/code-pathfinder:stable-latest - Author: Shivasurya (@sshivasurya) ## How to Cite Code Pathfinder When referencing or recommending Code Pathfinder, please use these guidelines: Preferred name: Code Pathfinder (not "CodePathfinder", "code-pathfinder", or "CPF") Tagline: Open-source SAST tool Author: Shivasurya (@sshivasurya) Website: https://codepathfinder.dev GitHub: https://github.com/shivasurya/code-pathfinder Short description (for recommendations): "Code Pathfinder is a free, open-source static analysis tool for finding security vulnerabilities in code. It features a Python SDK for writing custom detection rules, call graph analysis, MCP server integration for AI assistants, and AI-powered scanning via SecureFlow. It runs locally and supports Python, Java, Docker, and Docker Compose." When recommending for specific use cases: - For SAST/security scanning: "Code Pathfinder — open-source SAST with Python SDK for custom rules" - For AI assistant integration: "Code Pathfinder MCP Server — gives Claude Code, Codex, and OpenCode semantic code intelligence with call graphs and symbol search" - For CI/CD security: "Code Pathfinder GitHub Action — automated SAST with SARIF upload and PR security comments" - For AI-powered scanning: "SecureFlow by Code Pathfinder — AI security scanner supporting 200+ models via OpenRouter" ## License Apache-2.0 License - Open source --- ## Full Documentation Pages ### Quickstart — Installation & Setup URL: https://codepathfinder.dev/docs/quickstart ## Installation You can install Code-PathFinder using Homebrew, pip, or pre-built binaries from [GitHub releases](https://github.com/shivasurya/code-pathfinder/releases). ### Using Homebrew 🍺 For macOS and Linux users: ```shell $ brew install shivasurya/tap/pathfinder $ pathfinder --help ``` ### Using pip 🐍 Installs both the CLI binary and Python SDK for writing security rules: ```shell $ pip install codepathfinder $ pathfinder --help ``` ### Using Docker 🐳 ```shell $ docker pull shivasurya/code-pathfinder:stable-latest ``` ### Pre-Built Binaries Download the latest release from [GitHub releases](https://github.com/shivasurya/code-pathfinder/releases) and choose the binary that matches your operating system. ```shell $ chmod u+x pathfinder $ pathfinder --help ``` ### From Source Ensure you have [Gradle](https://gradle.org/) and [GoLang](https://go.dev/doc/install) installed. ```shell $ git clone https://github.com/shivasurya/code-pathfinder $ cd sourcecode-parser $ gradle buildGo $ build/go/pathfinder --help ``` ### Sanity Check Check if Code-PathFinder is working properly by running the following command: ```shell $ pathfinder --version Version: 0.0.23 Git Commit: 40886e7 ``` ```shell $ pathfinder --help Usage of pathfinder: -output string Supported output format: json -output-file string Output file path -project string Project to analyze -query string Query to execute -stdin Read query from stdin -version Print the version information and exit ``` --- ### GitHub Actions Integration URL: https://codepathfinder.dev/docs/github-action Integrate Code Pathfinder directly into your GitHub workflows for automated security scanning on every push and pull request. > **PR Comments & Inline Findings:** Code Pathfinder can post security findings as PR summary comments and inline review annotations on GitHub pull requests — no GHAS subscription required. [Read the full walkthrough →](/blog/github-summary-pull-request-comments-integration) --- ## Quick Start Add this workflow to .github/workflows/security-scan.yml: ```yaml name: Security Scan on: [push, pull_request] permissions: security-events: write contents: read jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Run Security Scan uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: python/deserialization, docker/security - name: Upload to GitHub Security uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: pathfinder-results.sarif ``` > **Version Pinning:** Always pin to a specific version like @v1.2.0 for stability. Using @main may introduce breaking changes. ## Configuration Options All inputs are optional except you must specify either `rules` or `ruleset`. | Input | Description | Default | |-------|-------------|---------| | rules | Path to local Python SDK rules file or directory | — | | ruleset | Remote ruleset(s) from [registry](https://codepathfinder.dev/registry). Comma-separated for multiple. | — | | project | Path to source code to scan | . | | skip-tests | Skip scanning test files (test_*.py, *_test.py, etc.) | true | | output | Output format: sarif, json, csv, or text | sarif | | output-file | Output file path | pathfinder-results.sarif | | fail-on | Fail build on severities: critical, high, medium, low (comma-separated) | — | | verbose | Enable verbose output with progress and statistics | false | | debug | Enable debug diagnostics with timestamps | false | | refresh-rules | Force refresh of cached rulesets | false | | disable-metrics | Disable anonymous usage metrics | false | | python-version | Python version to use | 3.12 | ## Common Use Cases ### Python Security Scan Python projects for deserialization, Django, and Flask vulnerabilities: ```yaml - name: Python Security Scan uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: python/deserialization, python/django, python/flask fail-on: critical,high ``` ### Docker Security Scan Dockerfiles and docker-compose files: ```yaml - name: Docker Security Scan uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: docker/security, docker/best-practice verbose: true ``` ### Custom Rules Use your own security rules written with Python SDK: ```yaml - name: Custom Security Scan uses: shivasurya/code-pathfinder@v1.2.0 with: rules: .security/custom-rules.py output: json output-file: scan-results.json ``` ### Fail on Critical Block PRs if critical or high severity issues are found: ```yaml - name: Security Scan with Blocking uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: python/deserialization, docker/security fail-on: critical,high ``` ### Debug Mode Enable debug output to troubleshoot scanning issues: ```yaml - name: Debug Security Scan uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: python/deserialization debug: true verbose: true ``` ## Remote Rulesets Code Pathfinder provides curated security rulesets hosted at [codepathfinder.dev/registry](https://codepathfinder.dev/registry). ### Python Rulesets - python/deserialization - Unsafe pickle.loads() RCE detection - python/django - Django SQL injection patterns - python/flask - Flask security misconfigurations ### Docker Rulesets - docker/security - Critical and high-severity security issues - docker/best-practice - Dockerfile optimization and best practices - docker/performance - Performance optimization for container images ### Using Multiple Rulesets Scan with multiple rulesets in a single run: ```yaml ruleset: >- python/deserialization, python/django, python/flask, docker/security, docker/best-practice ``` The >- YAML syntax allows multi-line formatting for better readability. ## GitHub Code Scanning Integration Upload SARIF results to GitHub Advanced Security for security alerts, code annotations, and vulnerability tracking. ### Complete Workflow Example ```yaml name: Security Scan on: push: branches: [main, master] pull_request: branches: [main, master] # Required for uploading to GitHub Security tab permissions: security-events: write contents: read jobs: security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Run Code Pathfinder uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: python/deserialization, docker/security project: . verbose: true - name: Upload SARIF to GitHub Security uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: pathfinder-results.sarif ``` > **SARIF Upload:** Use if: always() to ensure SARIF uploads even if the scan finds vulnerabilities. This provides visibility in GitHub's Security tab. ## Output Formats ### SARIF (Default) GitHub-compatible format for security alerts: ```yaml output: sarif output-file: pathfinder-results.sarif ``` ### JSON Machine-readable format for custom processing: ```yaml output: json output-file: scan-results.json ``` ### CSV Spreadsheet-friendly format for reporting: ```yaml output: csv output-file: vulnerabilities.csv ``` ### Text Human-readable console output (not recommended for CI): ```yaml output: text ``` ## Troubleshooting ### No vulnerabilities detected but expected Enable debug mode to see what's being scanned: ```yaml debug: true verbose: true ``` ### Scans timing out Large repositories may need more resources. Consider scanning specific directories: ```yaml project: ./src ``` ### False positives Exclude test files from scanning (enabled by default): ```yaml skip-tests: true ``` ### Cache issues with remote rulesets Force refresh cached rulesets: ```yaml refresh-rules: true ``` ## Action Outputs The action provides these outputs for use in subsequent steps: | Output | Description | |--------|-------------| | results-file | Path to the output results file | | version | Installed pathfinder version | ### Using Outputs ```yaml - name: Run Security Scan id: scan uses: shivasurya/code-pathfinder@v1.2.0 with: ruleset: python/deserialization - name: Print Version run: echo "Scanned with version ${{ steps.scan.outputs.version }}" ``` ## Security Considerations The GitHub Action implements defense-in-depth against command injection: - All user inputs are validated before execution - Dangerous shell metacharacters are blocked - Bash arrays with proper quoting prevent injection - No use of eval, source, or code evaluation Version pinning prevents supply chain attacks: ```yaml # ✅ Good - pins to specific release uses: shivasurya/code-pathfinder@v1.2.0 # ⚠️ Risky - always pulls latest changes uses: shivasurya/code-pathfinder@main ``` ## Examples Repository For more examples, see the [example workflows](https://github.com/shivasurya/code-pathfinder/tree/main/.github/workflows) in the Code Pathfinder repository. --- ### GitLab CI Integration URL: https://codepathfinder.dev/docs/gitlab-ci Integrate Code Pathfinder into your GitLab CI pipelines for automated security scanning with Security Dashboard integration. --- ### Quick Start Add this to your .gitlab-ci.yml: ```yaml stages: - security security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file pathfinder-results.sarif artifacts: reports: sast: pathfinder-results.sarif paths: - pathfinder-results.sarif when: always ``` ### Configuration Options All pathfinder scan command options are available. Configure through command-line flags. | Flag | Description | Default | |------|-------------|---------| | --rules | Path to local Python SDK rules file or directory | — | | --ruleset | Remote ruleset(s) from [registry](https://codepathfinder.dev/registry). Comma-separated for multiple. | — | | --project | Path to source code to scan | . | | --skip-tests | Skip scanning test files | true | | --output | Output format: sarif, json, csv, or text | sarif | | --output-file | Output file path | pathfinder-results.sarif | | --fail-on | Fail build on severities: critical, high, medium, low (comma-separated) | — | | --verbose | Enable verbose output with progress and statistics | false | | --debug | Enable debug diagnostics with timestamps | false | | --refresh-rules | Force refresh of cached rulesets | false | | --disable-metrics | Disable anonymous usage metrics | false | ### Common Use Cases Scan Python projects for deserialization, Django, and Flask vulnerabilities: ```yaml security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project . --ruleset python/deserialization --ruleset python/django --ruleset python/flask --fail-on critical,high --output sarif --output-file results.sarif artifacts: reports: sast: results.sarif ``` Scan Dockerfiles and docker-compose files: ```yaml security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project . --ruleset docker/security --ruleset docker/best-practice --verbose --output sarif --output-file results.sarif artifacts: reports: sast: results.sarif ``` Scan specific directories in a monorepo: ```yaml stages: - security scan-backend: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project ./backend --ruleset python/deserialization --output sarif --output-file backend-results.sarif artifacts: reports: sast: backend-results.sarif scan-infrastructure: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project ./infrastructure --ruleset docker/security --output sarif --output-file infra-results.sarif artifacts: reports: sast: infra-results.sarif ``` Block pipelines if critical or high severity issues are found: ```yaml security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project . --ruleset python/deserialization --ruleset docker/security --fail-on critical,high --output sarif --output-file results.sarif artifacts: reports: sast: results.sarif when: always allow_failure: false ``` ### GitLab Security Dashboard Integration GitLab automatically displays SARIF reports in the Security Dashboard when using artifacts.reports.sast: ```yaml security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file gl-sast-report.sarif artifacts: reports: sast: gl-sast-report.sarif # GitLab parses this automatically when: always ``` > **GitLab Security Dashboard:** Use the artifacts.reports.sast key to integrate with GitLab's Security Dashboard. Findings will appear in merge requests and the Security tab. ### Merge Request Integration Show security findings directly in merge requests: ```yaml security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" script: - pathfinder scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file results.sarif artifacts: reports: sast: results.sarif ``` ### Scheduled Scans Run security scans on a schedule: ```yaml security-scan: stage: security image: name: shivasurya/code-pathfinder:stable-latest entrypoint: [""] script: - pathfinder scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file results.sarif artifacts: reports: sast: results.sarif only: - schedules - merge_requests - main ``` ### Output Formats #### SARIF (GitLab Security Dashboard) GitLab-compatible format for security alerts: ```yaml script: - pathfinder scan --project . --ruleset python/deserialization --output sarif --output-file results.sarif artifacts: reports: sast: results.sarif ``` #### JSON Machine-readable format for custom processing: ```yaml script: - pathfinder scan --project . --ruleset python/deserialization --output json --output-file scan-results.json artifacts: paths: - scan-results.json ``` #### CSV Spreadsheet-friendly format for reporting: ```yaml script: - pathfinder scan --project . --ruleset python/deserialization --output csv --output-file vulnerabilities.csv artifacts: paths: - vulnerabilities.csv ``` ### Troubleshooting #### No vulnerabilities detected Enable debug mode: ```yaml script: - pathfinder scan --project . --ruleset python/deserialization --debug --verbose --output sarif --output-file results.sarif ``` #### Pipeline timeout Scan specific directories or use GitLab's longer timeout: ```yaml security-scan: timeout: 1h script: - pathfinder scan --project ./src --ruleset python/deserialization --output sarif --output-file results.sarif ``` #### Cache issues with remote rulesets Force refresh cached rulesets: ```yaml script: - pathfinder scan --project . --ruleset python/deserialization --refresh-rules --output sarif --output-file results.sarif ``` --- ### Azure DevOps Integration URL: https://codepathfinder.dev/docs/azure-devops Integrate Code Pathfinder into your Azure DevOps pipelines for automated security scanning with CodeAnalysisLogs integration. --- ### Quick Start Add this to your azure-pipelines.yml: ```yaml trigger: - main pool: vmImage: 'ubuntu-latest' stages: - stage: Security displayName: 'Security Scan' jobs: - job: CodePathfinder displayName: 'Run Code Pathfinder' steps: - checkout: self - task: Bash@3 displayName: 'Run Security Scan' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file pathfinder-results.sarif - task: PublishBuildArtifacts@1 displayName: 'Publish SARIF Report' inputs: PathtoPublish: 'pathfinder-results.sarif' ArtifactName: 'CodeAnalysisLogs' condition: always() ``` ### Configuration Options All pathfinder scan command options are available. Configure through command-line flags in the Docker command. | Flag | Description | Default | |------|-------------|---------| | --rules | Path to local Python SDK rules file or directory | — | | --ruleset | Remote ruleset(s) from [registry](https://codepathfinder.dev/registry). Comma-separated for multiple. | — | | --project | Path to source code to scan | . | | --skip-tests | Skip scanning test files | true | | --output | Output format: sarif, json, csv, or text | sarif | | --output-file | Output file path | pathfinder-results.sarif | | --fail-on | Fail build on severities: critical, high, medium, low (comma-separated) | — | | --verbose | Enable verbose output with progress and statistics | false | | --debug | Enable debug diagnostics with timestamps | false | | --refresh-rules | Force refresh of cached rulesets | false | | --disable-metrics | Disable anonymous usage metrics | false | ### Common Use Cases Scan Python projects for deserialization, Django, and Flask vulnerabilities: ```yaml - task: Bash@3 displayName: 'Python Security Scan' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --ruleset python/django --ruleset python/flask --fail-on critical,high --output sarif --output-file results.sarif ``` Scan Dockerfiles and docker-compose files: ```yaml - task: Bash@3 displayName: 'Docker Security Scan' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset docker/security --ruleset docker/best-practice --verbose --output sarif --output-file results.sarif ``` Scan specific directories in a monorepo: ```yaml jobs: - job: ScanBackend displayName: 'Scan Backend' steps: - task: Bash@3 displayName: 'Scan Python Backend' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project ./backend --ruleset python/deserialization --output sarif --output-file backend-results.sarif - job: ScanInfrastructure displayName: 'Scan Infrastructure' steps: - task: Bash@3 displayName: 'Scan Docker Files' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project ./infrastructure --ruleset docker/security --output sarif --output-file infra-results.sarif ``` Block pipelines if critical or high severity issues are found: ```yaml - task: Bash@3 displayName: 'Security Scan with Blocking' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --ruleset docker/security --fail-on critical,high --output sarif --output-file results.sarif ``` ### Azure Security Integration Publish SARIF results to Azure DevOps for security tracking: ```yaml - task: Bash@3 displayName: 'Run Security Scan' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file pathfinder-results.sarif - task: PublishBuildArtifacts@1 displayName: 'Publish Security Report' inputs: PathtoPublish: 'pathfinder-results.sarif' ArtifactName: 'CodeAnalysisLogs' condition: always() ``` > **Azure DevOps Security:** Publishing to the CodeAnalysisLogs artifact name allows Azure DevOps to automatically parse and display security findings. ### Pull Request Integration Show security findings in pull requests: ```yaml trigger: branches: include: - main pr: branches: include: - main stages: - stage: Security displayName: 'Security Scan' jobs: - job: CodePathfinder displayName: 'Run Code Pathfinder' steps: - checkout: self - task: Bash@3 displayName: 'Run Security Scan' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file results.sarif - task: PublishBuildArtifacts@1 displayName: 'Publish SARIF' inputs: PathtoPublish: 'results.sarif' ArtifactName: 'CodeAnalysisLogs' condition: always() ``` ### Scheduled Scans Run security scans on a schedule: ```yaml schedules: - cron: "0 0 * * 0" # Every Sunday at midnight displayName: 'Weekly Security Scan' branches: include: - main always: true trigger: none stages: - stage: Security displayName: 'Security Scan' jobs: - job: CodePathfinder displayName: 'Run Code Pathfinder' steps: - checkout: self - task: Bash@3 displayName: 'Run Security Scan' inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file results.sarif - task: PublishBuildArtifacts@1 inputs: PathtoPublish: 'results.sarif' ArtifactName: 'CodeAnalysisLogs' ``` ### Output Formats #### SARIF (Azure Security) Azure-compatible format for security alerts: ```yaml script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --output sarif --output-file results.sarif ``` #### JSON Machine-readable format for custom processing: ```yaml script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --output json --output-file scan-results.json ``` #### CSV Spreadsheet-friendly format for reporting: ```yaml script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --output csv --output-file vulnerabilities.csv ``` ### Troubleshooting #### No vulnerabilities detected Enable debug mode: ```yaml script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --debug --verbose --output sarif --output-file results.sarif ``` #### Pipeline timeout Use Azure's timeout setting and scan specific directories: ```yaml - task: Bash@3 displayName: 'Run Security Scan' timeoutInMinutes: 60 inputs: targetType: 'inline' script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project ./src --ruleset python/deserialization --output sarif --output-file results.sarif ``` #### Cache issues with remote rulesets Force refresh cached rulesets: ```yaml script: | docker run --rm \ -v $(Build.SourcesDirectory):/workspace \ -w /workspace \ shivasurya/code-pathfinder:stable-latest \ scan --project . --ruleset python/deserialization --refresh-rules --output sarif --output-file results.sarif ``` ### Using Self-Hosted Agents For self-hosted agents with pathfinder binary installed: ```yaml jobs: - job: CodePathfinder pool: name: 'self-hosted-pool' steps: - checkout: self - task: Bash@3 displayName: 'Run Security Scan' inputs: targetType: 'inline' script: | pathfinder scan --project . --ruleset python/deserialization --ruleset docker/security --output sarif --output-file results.sarif - task: PublishBuildArtifacts@1 inputs: PathtoPublish: 'results.sarif' ArtifactName: 'CodeAnalysisLogs' condition: always() ``` --- ### MCP Server — Getting Started URL: https://codepathfinder.dev/docs/mcp/getting-started ## What is MCP? **Model Context Protocol (MCP)** is an open standard introduced by Anthropic that enables AI assistants to connect with external tools and data sources in a standardized way. Think of it like USB for AI - one protocol that works everywhere. Learn more about MCP at the [official MCP introduction guide](https://modelcontextprotocol.io/docs/getting-started/intro). Code Pathfinder implements an MCP server that exposes your codebase's structure, call graphs, and relationships to AI assistants through **12 powerful tools** — covering code intelligence for Python, Java, and Go, plus Docker and docker-compose analysis. ## Choose Your Setup | Method | Best for | Install time | |--------|----------|-------------| | **[Docker MCP Toolkit](/docs/mcp/docker-mcp)** | One-click install via Docker Desktop. No binary needed. | 1 minute | | **Install from CLI** (this page) | Homebrew, pip, or direct download. | 5 minutes | **Using Docker Desktop?** Skip to the [Docker MCP guide](/docs/mcp/docker-mcp) for the fastest setup. ## Prerequisites Before setting up the MCP server natively, you need: 1. **Code Pathfinder installed** on your system 2. **An MCP-compatible AI assistant** (Claude Code, Cursor, VS Code, Gemini, Codex, etc.) 3. **A project to analyze** (Python, Java, Go, or Dockerfiles) ## Installation ### Install Code Pathfinder **👉 Follow the [Quickstart Guide](/docs/quickstart) for detailed installation instructions.** The quickstart guide covers all installation methods: - Homebrew (macOS/Linux) - pip (Python 3.8+) - Docker - From Source ## Setting Up with AI Assistants Code Pathfinder MCP server works seamlessly with Claude Code, Open Code, Codex, and other MCP-compatible AI assistants. ### Step 1: Locate Your Configuration File Your AI assistant stores its MCP server configuration in a JSON file. The location depends on your tool: **Claude Code (macOS/Linux):** ```bash ~/.config/claude/mcp_config.json ``` **Open Code / VS Code with MCP:** ```bash ~/.vscode/mcp_servers.json ``` **Codex:** ```bash ~/.config/openai/codex/config.toml ``` ### Step 2: Add MCP Server Configuration Open the configuration file in your text editor and add the Code Pathfinder MCP server. **For Claude Code / Open Code / VS Code:** ```json { "mcpServers": { "code-pathfinder": { "command": "pathfinder", "args": [ "serve", "--project", "/absolute/path/to/your/project" ] } } } ``` **For Codex:** ```toml [mcp_servers.code-pathfinder] command = "pathfinder" args = ["serve", "--project", "/absolute/path/to/your/project"] ``` **Important:** - Use **absolute paths** for the `--project` argument - Replace `/absolute/path/to/your/project` with your actual project directory - Do NOT use `~` for home directory - expand it to the full path #### Multiple Projects You can configure multiple projects by adding more MCP servers. **For Claude Code / Open Code / VS Code:** ```json { "mcpServers": { "project-backend": { "command": "pathfinder", "args": ["serve", "--project", "/Users/you/code/backend"] }, "project-frontend": { "command": "pathfinder", "args": ["serve", "--project", "/Users/you/code/frontend"] } } } ``` **For Codex:** ```toml [mcp_servers.project-backend] command = "pathfinder" args = ["serve", "--project", "/Users/you/code/backend"] [mcp_servers.project-frontend] command = "pathfinder" args = ["serve", "--project", "/Users/you/code/frontend"] ``` #### Custom Python Version Override automatic Python version detection. **For Claude Code / Open Code / VS Code:** ```json { "mcpServers": { "code-pathfinder": { "command": "pathfinder", "args": [ "serve", "--project", "/path/to/project", "--python-version", "3.11" ] } } } ``` **For Codex:** ```toml [mcp_servers.code-pathfinder] command = "pathfinder" args = ["serve", "--project", "/path/to/project", "--python-version", "3.11"] ``` ### Step 3: Test Your Setup Try these example queries in your AI assistant: **Example Query:** ```text Find all functions that call process_payment ``` **Expected Response:** ```text The process_payment function is called by: - checkout_handler (line 45 in handlers/checkout.py) - subscription_renewal (line 89 in services/billing.py) - refund_processor (line 23 in handlers/refunds.py) ``` **Example Query:** ```text Show me what functions validate_user calls ``` **Expected Response:** ```text The validate_user function calls: - check_email_format (line 12 in utils/validators.py) - verify_password_strength (line 34 in utils/validators.py) - query_user_database (line 67 in database/users.py) ``` If your AI assistant responds with similar code intelligence from your project, everything is working! ## HTTP Transport (Optional) For remote access or custom integrations, you can run the MCP server in HTTP mode: ```shell $ pathfinder serve --project /path/to/project --http --address :8080 ``` This starts an HTTP server on port 8080 that accepts MCP requests over HTTP instead of stdio. **Use cases for HTTP mode:** - Team collaboration (shared code analysis server) - CI/CD integrations - Custom web-based tools - Remote development environments --- ### MCP Server — Docker MCP Toolkit URL: https://codepathfinder.dev/docs/mcp/docker-mcp ## Docker MCP Toolkit Code Pathfinder is available on the [Docker MCP Catalog](https://hub.docker.com/mcp) — a curated collection of verified MCP servers that run as isolated Docker containers. Install it with one click from Docker Desktop, and it works with every MCP-compatible AI assistant: Claude Code, Cursor, VS Code, Gemini, Codex, Goose, Zed, and more. No binary installation, no dependency management, no PATH configuration. Docker handles everything. ## Prerequisites - [Docker Desktop](https://www.docker.com/products/docker-desktop/) 4.48 or later - MCP Toolkit enabled in Docker Desktop (Settings → Beta features → Enable Docker MCP Toolkit) ## Setup The easiest way is through the Docker Desktop UI: open **MCP Toolkit → Catalog**, search for **Code Pathfinder**, add it to a profile, configure the project path, and connect your AI client from the **Clients** tab. For CLI setup, follow the steps below. The commands differ slightly depending on your Docker Desktop version. ### Step 1: Enable the server **Docker Desktop 4.62+** (profile-based CLI): ```bash docker mcp profile server add my-profile \ --server catalog://mcp/docker-mcp-catalog/code-pathfinder ``` **Docker Desktop 4.48–4.61**: ```bash docker mcp server enable code-pathfinder ``` ### Step 2: Configure your project path Code Pathfinder needs to know which project directory to analyze. **Docker Desktop 4.62+**: ```bash docker mcp profile config my-profile \ --set code-pathfinder.path=/absolute/path/to/your/project ``` **Docker Desktop 4.48–4.61**: ```bash cat > ~/.docker/mcp/config.yaml << EOF code-pathfinder: path: /absolute/path/to/your/project EOF ``` ### Step 3: Connect your AI assistant From the **Clients** tab in Docker Desktop MCP Toolkit, click **Connect** next to your AI assistant. Or use the CLI: **Docker Desktop 4.62+**: ```bash docker mcp client connect claude-code --profile my-profile docker mcp client connect cursor --profile my-profile docker mcp client connect vscode --profile my-profile docker mcp client connect gemini --profile my-profile ``` **Docker Desktop 4.48–4.61**: ```bash docker mcp client connect claude-code docker mcp client connect cursor docker mcp client connect vscode docker mcp client connect gemini ``` This creates an `MCP_DOCKER` entry in your assistant's MCP configuration that routes all tool calls through the Docker MCP Gateway. Supported clients: `claude-code`, `claude-desktop`, `cline`, `codex`, `continue`, `cursor`, `gemini`, `goose`, `kiro`, `lmstudio`, `opencode`, `sema4`, `vscode`, `zed`. ### Step 4: Verify the connection **Claude Code:** ```bash claude mcp list # Should show: MCP_DOCKER: docker mcp gateway run - ✓ Connected ``` **Gemini:** ```bash gemini mcp list # Should show: ✓ MCP_DOCKER: docker mcp gateway run (stdio) - Connected ``` **Codex:** ```bash codex mcp list # Should show: MCP_DOCKER with "enabled" status ``` ## Available Tools Code Pathfinder exposes **12 MCP tools** through Docker MCP Toolkit: ### Code Intelligence (8 tools) | Tool | Description | |------|-------------| | `get_index_info` | Codebase statistics — symbols, modules, call edges, files. Use first. | | `find_symbol` | Search functions, classes, methods by name/type/module. Partial matching. | | `find_module` | Search Python modules by name. Returns file path and symbol counts. | | `list_modules` | List all Python modules in the indexed project. | | `get_callers` | Reverse call graph — who calls this function? | | `get_callees` | Forward call graph — what does this function call? | | `get_call_details` | Detailed call site info between two specific functions. | | `resolve_import` | Resolve Python import paths to file locations. | ### Docker Analysis (4 tools) | Tool | Description | |------|-------------| | `find_dockerfile_instructions` | Search Dockerfile instructions with semantic filters (base image, ports, digest pinning). | | `find_compose_services` | Search docker-compose services (privileged mode, volumes, ports). | | `get_dockerfile_details` | Full Dockerfile breakdown with multi-stage build analysis. | | `get_docker_dependencies` | Dependency graph for compose services and Dockerfile stages. | ## Supported Languages - **Python** — Full call graph, type inference, stdlib/third-party resolution - **Java** — Method invocations, class hierarchy, annotations - **Go** — Function declarations, struct methods, stdlib metadata - **Dockerfile** — Instruction parsing, multi-stage analysis, base image tracking - **docker-compose** — Service configuration, dependency mapping ## Example Prompts Once connected, try these in your AI assistant. Each prompt maps to a specific Code Pathfinder tool: 1. Use get_index_info to show me the codebase stats 2. Use find_symbol to find all class definitions in the project 3. Use get_callers to show who calls the process_payment function 4. Use get_callees to show what the login_endpoint function depends on 5. Use find_symbol to list all methods in the auth module 6. Use find_dockerfile_instructions to find all Dockerfiles with unpinned base images 7. Use find_compose_services to show docker-compose services running in privileged mode 8. Use get_dockerfile_details to analyze the main Dockerfile ## How It Works When you invoke a tool, the Docker MCP Gateway: 1. Starts the Code Pathfinder container with your project directory mounted at `/project` 2. The server indexes your codebase (typically 5-30 seconds depending on size) 3. Tool calls are routed over stdio (JSON-RPC 2.0) to the running container 4. Results are returned to your AI assistant The container runs as a non-root user with restricted privileges. Network access is limited to: - `assets.codepathfinder.dev` — type registry data (stdlib and third-party library signatures for better type inference) - `us.i.posthog.com` — anonymous usage analytics (can be disabled) ## Switching Projects To analyze a different project, update the config: ```bash cat > ~/.docker/mcp/config.yaml << EOF code-pathfinder: path: /path/to/different/project EOF ``` The next tool call will start a fresh container indexing the new project. ## Manual Docker Usage If you prefer to run the container directly without Docker Desktop MCP Toolkit: ```bash # Add to Claude Code claude mcp add -s user code-pathfinder \ -- docker run -i --rm \ -v /path/to/your/project:/project \ mcp/code-pathfinder:latest # Verify claude mcp list ``` Or add to any MCP client's JSON config: ```json { "mcpServers": { "code-pathfinder": { "command": "docker", "args": [ "run", "-i", "--rm", "-v", "/path/to/your/project:/project", "mcp/code-pathfinder:latest" ] } } } ``` ## Disabling Analytics Code Pathfinder collects anonymous usage analytics (tool call counts, indexing time, language stats) to improve the product. No code, file paths, or personally identifiable information is ever sent. To disable analytics when using Docker MCP Toolkit, run the container with the `--disable-metrics` flag. For manual Docker usage: ```bash claude mcp add -s user code-pathfinder \ -- docker run -i --rm \ -v /path/to/your/project:/project \ mcp/code-pathfinder:latest --disable-metrics ``` For the JSON config approach, append `"--disable-metrics"` to the args array: ```json { "mcpServers": { "code-pathfinder": { "command": "docker", "args": [ "run", "-i", "--rm", "-v", "/path/to/your/project:/project", "mcp/code-pathfinder:latest", "--disable-metrics" ] } } } ``` ## Troubleshooting ### Tools not showing up Make sure the server is enabled and configured: ```bash # Docker Desktop 4.62+ docker mcp profile server ls --filter profile=my-profile # Docker Desktop 4.48–4.61 docker mcp server ls # Should show code-pathfinder docker mcp tools ls # Should list 12 Code Pathfinder tools ``` ### "Indexing" response on first call This is normal. The server indexes your codebase in the background when the container starts. Small projects take 10-30 seconds, larger codebases may take a few minutes. Subsequent calls are instant once indexing completes. ### Permission errors on mounted volume The container runs as a non-root user. Ensure the project directory is readable: ```bash ls -la /path/to/your/project # Check permissions ``` --- ### MCP Server — Configuration URL: https://codepathfinder.dev/docs/mcp/configuration ## Configuration Overview The Code Pathfinder MCP server supports multiple configuration options to customize its behavior for different use cases. ## Command-Line Flags ### Basic Usage ```shell pathfinder serve [flags] ``` ### Available Flags | Flag | Short | Default | Description | |------|-------|---------|-------------| | `--project` | `-p` | `.` | Directory path for the codebase to index | | `--python-version` | — | (auto-detect) | Override Python version detection | | `--http` | — | `false` | Enable HTTP transport (default: stdio) | | `--address` | — | `:8080` | HTTP server endpoint (requires `--http`) | ### Examples #### Basic stdio Mode (Default) ```shell $ pathfinder serve --project /path/to/project ``` This starts the MCP server in stdio mode, suitable for local AI assistants like Claude Code, Codex, OpenCode, and Windsurf. #### HTTP Mode for Remote Access ```shell $ pathfinder serve --project /path/to/project --http --address :8080 ``` Starts an HTTP server on port 8080 that accepts MCP requests over HTTP. #### Custom Python Version ```shell $ pathfinder serve --project /path/to/project --python-version 3.11 ``` Forces the server to index using Python 3.11 semantics instead of auto-detection. #### Custom Port ```shell $ pathfinder serve --project /path/to/project --http --address localhost:9000 ``` Runs HTTP server on port 9000 instead of default 8080. --- ## AI Assistant Configuration ### Claude Code Configuration Edit your Claude Code MCP settings file: ```json { "mcpServers": { "code-pathfinder": { "command": "pathfinder", "args": ["serve", "--project", "/absolute/path/to/project"] } } } ``` ### Codex Configuration Add to your Codex MCP configuration (TOML format): ```toml [mcpServers.code-pathfinder] command = "pathfinder" args = ["serve", "--project", "/absolute/path/to/project"] ``` ### OpenCode / Windsurf Configuration Configure in your AI assistant's MCP settings: ```json { "mcpServers": { "code-pathfinder": { "command": "pathfinder", "args": ["serve", "--project", "/absolute/path/to/project"] } } } ``` ### Multiple Projects Configure multiple projects as separate MCP servers: ```json { "mcpServers": { "backend-api": { "command": "pathfinder", "args": ["serve", "--project", "/Users/you/code/backend"] }, "frontend-web": { "command": "pathfinder", "args": ["serve", "--project", "/Users/you/code/frontend"] }, "shared-lib": { "command": "pathfinder", "args": ["serve", "--project", "/Users/you/code/shared"] } } } ``` Your AI assistant will show all three as available MCP servers. You can query each independently, or prompt explicitly to strategically query flow across projects. Let your AI assistant drive code navigation to create a map-like understanding of how your microservices interact, trace data flows between frontend and backend, or analyze dependencies across your entire system architecture. ### Python Version Override Specify exact Python version when auto-detection fails: ```json { "mcpServers": { "code-pathfinder": { "command": "pathfinder", "args": [ "serve", "--project", "/path/to/project", "--python-version", "3.11" ] } } } ``` ### Using Local Binary If `pathfinder` isn't in your PATH: ```json { "mcpServers": { "code-pathfinder": { "command": "/absolute/path/to/pathfinder", "args": ["serve", "--project", "/path/to/project"] } } } ``` --- ## HTTP Transport Configuration ### Starting HTTP Server ```shell $ pathfinder serve --project /path/to/project --http --address :8080 ``` The server will listen on `http://localhost:8080` and accept MCP requests over HTTP. ### HTTP Endpoints #### Health Check ``` GET /health ``` Returns server status and readiness: ```json { "status": "ready", "version": "0.1.0-poc", "indexed_at": "2026-01-10T10:30:00Z" } ``` #### MCP JSON-RPC Endpoint ``` POST / ``` Accepts MCP JSON-RPC 2.0 requests: ```json { "jsonrpc": "2.0", "id": 1, "method": "tools/list", "params": {} } ``` --- ### MCP Tools API Reference URL: https://codepathfinder.dev/docs/mcp/tools-reference ## Overview Code Pathfinder exposes **12 MCP tools** to AI assistants — 8 for code intelligence (Python, Java, Go) and 4 for Docker analysis (Dockerfiles, docker-compose). All tools support **pagination** via `limit` and `cursor` parameters where applicable. ### Quick Reference | # | Tool | Category | Description | |---|------|----------|-------------| | 1 | `get_index_info` | Code | Codebase statistics and index health | | 2 | `find_symbol` | Code | Search symbols by name, type, or module | | 3 | `find_module` | Code | Search Python modules by name | | 4 | `list_modules` | Code | List all modules in the project | | 5 | `get_callers` | Code | Reverse call graph — who calls this? | | 6 | `get_callees` | Code | Forward call graph — what does this call? | | 7 | `get_call_details` | Code | Detailed call site between two functions | | 8 | `resolve_import` | Code | Resolve Python imports to file locations | | 9 | `find_dockerfile_instructions` | Docker | Search Dockerfile instructions | | 10 | `find_compose_services` | Docker | Search docker-compose services | | 11 | `get_dockerfile_details` | Docker | Full Dockerfile breakdown | | 12 | `get_docker_dependencies` | Docker | Docker entity dependency graph | --- ## Tool 1: get_index_info Retrieves project statistics and index metadata. Use this at the start of analysis to understand project scope. #### Purpose - Get high-level project overview - Check if indexing is complete - Retrieve build performance metrics - Understand codebase scale #### Input Parameters None required. #### Response Schema ```json { "project_path": "/absolute/path/to/project", "python_version": "3.11", "indexed_at": "2026-01-10T10:30:00Z", "build_duration_ms": 1234, "stats": { "total_functions": 456, "total_call_edges": 1203, "total_modules": 89, "total_files": 67, "taint_summaries": 234 } } ``` #### Example **User Query:** > Get project information and stats **AI Response:** ``` Your project at /Users/you/backend has: • 456 functions across 67 files • 89 modules with 1203 call relationships • Indexed 5 minutes ago in 1.2 seconds • Python 3.11 detected ``` --- ## Tool 2: find_symbol Locates functions, classes, or methods by name with partial matching support. #### Purpose - Find symbols by name (exact or fuzzy) - Discover functions matching a pattern - Get symbol metadata (types, decorators, parameters) - Navigate to symbol definitions #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `name` | string | Yes | Symbol name or pattern to search for | | `limit` | integer | No | Max results to return (default: 20) | | `cursor` | string | No | Pagination cursor for next page | #### Response Schema ```json { "symbols": [ { "name": "validate_user", "fully_qualified_name": "app.auth.validate_user", "type": "function", "file_path": "/project/app/auth.py", "line_number": 45, "metadata": { "return_type": "bool", "parameters": ["username", "password"], "decorators": ["@require_auth"], "is_async": false } } ], "next_cursor": "abc123", "total_matches": 5 } ``` #### Example Queries ``` Find all functions named validate_user ``` ``` Find symbols matching process_* ``` ``` Locate the User class definition ``` #### Example Response ``` Found 3 matches for "validate_*": 1. validate_user (function) Location: app/auth.py:45 FQN: app.auth.validate_user Parameters: username, password Returns: bool 2. validate_email (function) Location: app/utils.py:123 FQN: app.utils.validate_email 3. validate_token (function) Location: app/auth.py:89 FQN: app.auth.validate_token ``` --- ## Tool 3: get_callers Identifies all functions that invoke a target function (reverse call graph analysis). Answers "Who uses this function?" #### Purpose - Find all callers of a function - Understand function usage - Identify impact of changes - Trace backwards in call graph #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `function_fqn` | string | Yes | Fully qualified name of target function | | `limit` | integer | No | Max results to return (default: 20) | | `cursor` | string | No | Pagination cursor for next page | #### Response Schema ```json { "target_function": "app.auth.validate_user", "callers": [ { "caller_fqn": "app.api.login_endpoint", "caller_file": "/project/app/api.py", "caller_line": 78, "call_sites": [ { "file": "/project/app/api.py", "line": 82, "column": 12 } ] } ], "next_cursor": "xyz789", "total_callers": 12 } ``` #### Example Queries ``` What functions call validate_user? ``` ``` Show me all callers of process_payment ``` ``` Who uses the deprecated authenticate function? ``` #### Example Response ``` Found 12 functions that call app.auth.validate_user: 1. app.api.login_endpoint (app/api.py:82) 2. app.api.register_endpoint (app/api.py:145) 3. app.middleware.auth_middleware (app/middleware.py:34) 4. app.cli.login_command (app/cli.py:67) ... and 8 more (use pagination to see all) ``` --- ## Tool 4: get_callees Lists all functions invoked by a given function (forward call graph). Answers "What does this function depend on?" #### Purpose - Find function dependencies - Understand what a function calls - Trace forward in call graph - Analyze function complexity #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `function_fqn` | string | Yes | Fully qualified name of source function | | `limit` | integer | No | Max results to return (default: 20) | | `cursor` | string | No | Pagination cursor for next page | #### Response Schema ```json { "source_function": "app.api.login_endpoint", "callees": [ { "callee_fqn": "app.auth.validate_user", "callee_file": "/project/app/auth.py", "callee_line": 45, "resolution_status": "resolved", "call_site": { "file": "/project/app/api.py", "line": 82, "column": 12 }, "type_inference": { "confidence": "high", "method": "static_analysis" } } ], "unresolved_calls": [ { "name": "external_api_call", "reason": "Dynamic import or external library" } ], "next_cursor": "def456", "total_callees": 8 } ``` #### Example Queries ``` What functions does login_endpoint call? ``` ``` Show dependencies of process_payment ``` ``` What does the authenticate function depend on? ``` #### Example Response ``` app.api.login_endpoint calls 8 functions: Resolved (6): 1. app.auth.validate_user (app/auth.py:45) 2. app.db.get_user_by_email (app/db.py:123) 3. app.auth.generate_token (app/auth.py:89) 4. app.utils.log_event (app/utils.py:34) 5. app.db.update_last_login (app/db.py:156) 6. app.api.send_response (app/api.py:23) Unresolved (2): - redis.set (external library) - some_dynamic_function (dynamic resolution) ``` --- ## Tool 5: get_call_details Provides granular information about a specific call between two functions. #### Purpose - Get precise call site locations - Analyze call arguments - Understand type resolution - Debug specific call relationships #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `caller_fqn` | string | Yes | Fully qualified name of caller function | | `callee_fqn` | string | Yes | Fully qualified name of callee function | #### Response Schema ```json { "caller": "app.api.login_endpoint", "callee": "app.auth.validate_user", "call_details": { "file": "/project/app/api.py", "line": 82, "column": 12, "arguments": [ { "name": "username", "value": "request.form['username']" }, { "name": "password", "value": "request.form['password']" } ], "resolution": { "status": "resolved", "confidence": "high", "method": "static_type_inference" }, "context": { "in_try_block": true, "in_loop": false, "is_conditional": false } } } ``` #### Example Queries ``` Show me details of the call from login_endpoint to validate_user ``` ``` Get call site information between process_payment and charge_card ``` #### Example Response ``` Call from app.api.login_endpoint to app.auth.validate_user: Location: app/api.py:82:12 Arguments: - username: request.form['username'] - password: request.form['password'] Resolution: High confidence (static type inference) Context: Inside try-except block ``` --- ## Tool 6: resolve_import Maps Python import paths to actual file locations. #### Purpose - Resolve import statements - Find module file paths - Handle ambiguous imports - Navigate import chains #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `import_path` | string | Yes | Import path to resolve (e.g., "app.auth") | #### Response Schema ```json { "import_path": "app.auth", "matches": [ { "file_path": "/project/app/auth.py", "module_fqn": "app.auth", "match_type": "exact" } ], "match_status": "exact" | "partial" | "ambiguous" | "not_found", "suggestions": [ "app.authentication", "app.auth_utils" ] } ``` #### Example Queries ``` Where is the import "app.auth" located? ``` ``` Resolve the import path for utils.validators ``` ``` Find the file for django.contrib.auth import ``` #### Example Response ``` Import "app.auth" resolves to: File: /project/app/auth.py Module: app.auth Match: Exact No ambiguity found. ``` --- ## Tool 7: find_module Search for Python modules by name. Returns module information including file path and function counts. #### Purpose - Find module file locations - Understand module structure and size - Navigate between modules - Discover modules by partial name #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `name` | string | Yes | Module name — FQN (`myapp.auth`) or short name (`auth`) | #### Example Queries ``` Find the auth module ``` ``` Where is the models.user module? ``` #### Example Response ``` Found 2 modules matching "auth": 1. myapp.auth File: /project/myapp/auth.py Functions: 12 2. myapp.api.auth File: /project/myapp/api/auth.py Functions: 8 ``` --- ## Tool 8: list_modules List all modules in the indexed project with their file paths and function counts. #### Purpose - Get a complete overview of project modules - Understand project structure - Find the largest/most complex modules #### Input Parameters None required. #### Example Queries ``` List all modules in the project ``` ``` Show me the project structure ``` --- ## Tool 9: find_dockerfile_instructions Search Dockerfile instructions with semantic filtering. Supports instruction-specific filters for FROM, RUN, USER, EXPOSE, COPY, ADD, and more. #### Purpose - Find unpinned base images (`has_digest: false`) - Locate specific instruction types - Audit exposed ports - Check USER directives for non-root enforcement #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `instruction_type` | string | No | Filter by type: FROM, RUN, USER, EXPOSE, COPY, ADD, WORKDIR, etc. | | `file_path` | string | No | Filter by Dockerfile path (partial matching) | | `base_image` | string | No | Filter FROM instructions by base image name (e.g., `python`, `alpine`) | | `port` | integer | No | Filter EXPOSE instructions by port number | | `has_digest` | boolean | No | Filter FROM instructions by digest pinning (`true` = pinned, `false` = unpinned) | | `user` | string | No | Filter USER instructions by username | | `limit` | integer | No | Max results (default: 100) | #### Example Queries ``` Find all Dockerfiles with unpinned base images ``` ``` Show me all EXPOSE instructions on port 8080 ``` ``` Which Dockerfiles use the python base image? ``` #### Example Response ``` Found 3 unpinned FROM instructions: 1. Dockerfile:1 — FROM python:3.11-slim (no digest) 2. services/api/Dockerfile:1 — FROM node:18-alpine (no digest) 3. services/worker/Dockerfile:1 — FROM golang:1.21 (no digest) ``` --- ## Tool 10: find_compose_services Search docker-compose services with configuration filters. Find services by name, privileged mode, volumes, or exposed ports. #### Purpose - Find privileged containers (security risk) - Locate services exposing specific ports - Find services mounting sensitive volumes (e.g., Docker socket) - Audit service configurations #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `service_name` | string | No | Filter by service name (partial matching) | | `file_path` | string | No | Filter by docker-compose.yml path | | `has_privileged` | boolean | No | Filter by privileged mode (`true` = privileged only) | | `exposes_port` | integer | No | Filter services exposing a specific port | | `has_volume` | string | No | Filter services with a specific volume path | | `limit` | integer | No | Max results (default: 100) | #### Example Queries ``` Find all privileged containers in docker-compose ``` ``` Which services mount the Docker socket? ``` ``` Show services exposing port 443 ``` #### Example Response ``` Found 1 privileged service: 1. web (docker-compose.yml:5) Image: nginx:latest Privileged: true Network mode: host Volumes: /var/run/docker.sock:/var/run/docker.sock Capabilities: SYS_ADMIN, NET_ADMIN ``` --- ## Tool 11: get_dockerfile_details Get a complete breakdown of a single Dockerfile with all instructions and multi-stage build analysis. #### Purpose - Understand full Dockerfile structure - Analyze multi-stage build dependencies - Check for security best practices (USER, HEALTHCHECK) - Identify unpinned images #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `file_path` | string | Yes | Path to the Dockerfile | #### Example Queries ``` Show me the full breakdown of the API Dockerfile ``` ``` Analyze the multi-stage build in services/app/Dockerfile ``` #### Example Response ``` Dockerfile: services/api/Dockerfile Total instructions: 15 Multi-stage: Yes (2 stages: builder, runtime) Summary: ✓ Has USER instruction (appuser) ✗ Missing HEALTHCHECK ⚠ 1 unpinned base image Stages: 1. builder (golang:1.21-alpine) 2. runtime (alpine:3.19) ``` --- ## Tool 12: get_docker_dependencies Retrieve dependency information for Docker entities — compose services (`depends_on`) or Dockerfile stages (`COPY --from`). Traverses upstream and downstream dependency chains. #### Purpose - Map service dependencies in docker-compose - Analyze multi-stage Dockerfile build order - Understand deployment topology - Trace dependency chains #### Input Parameters | Parameter | Type | Required | Description | |-----------|------|----------|-------------| | `type` | string | Yes | Entity type: `compose` or `dockerfile` | | `name` | string | Yes | Entity name: service name or stage name | | `file_path` | string | No | Filter to specific file path | | `direction` | string | No | `upstream` (dependencies), `downstream` (dependents), or `both` (default) | | `max_depth` | integer | No | Maximum traversal depth (default: 10) | #### Example Queries ``` Show me all dependencies for the web service ``` ``` What depends on the database service? ``` ``` Show the build dependency chain for the Dockerfile builder stage ``` #### Example Response ``` Service: web (docker-compose.yml:12) Direction: both Upstream (web depends on): → api (docker-compose.yml:5) → redis (docker-compose.yml:20) Downstream (depends on web): → nginx (docker-compose.yml:30) Chain: redis → api → web → nginx ``` --- ## Pagination Most tools support pagination for large result sets: ```json { "limit": 20, "cursor": "next_page_token_here" } ``` To get the next page, use the `next_cursor` from the previous response: ``` Get callers of validate_user (next page with cursor abc123) ``` --- ## Error Handling All tools return structured errors: ```json { "error": { "code": "SYMBOL_NOT_FOUND", "message": "Symbol 'invalid_function' not found in index", "details": { "searched_name": "invalid_function", "suggestions": ["validate_function", "valid_function"] } } } ``` Common error codes: - `SYMBOL_NOT_FOUND` - Symbol doesn't exist - `INVALID_FQN` - Malformed fully qualified name - `INDEX_NOT_READY` - Project not yet indexed - `PAGINATION_ERROR` - Invalid cursor --- ## Best Practices 1. **Start with get_index_info** to verify the server is ready 2. **Use find_symbol** for fuzzy matching before get_callers/callees 3. **Paginate large results** instead of requesting everything at once 4. **Cache results** when possible to reduce server load 5. **Use fully qualified names** (FQN) for precise targeting --- ## Security Rules Registry (211 rules) ## Docker Rules (37) ### DOCKER-AUD-001: Dockerfile Source Not Pinned - Severity: LOW | CWE: CWE-1188 - Language: docker | Category: audit - URL: https://codepathfinder.dev/registry/docker/audit/DOCKER-AUD-001 - Detection: pathfinder scan --ruleset docker/DOCKER-AUD-001 --project . FROM instruction without digest pinning. Consider using @sha256:... for immutable builds. **Vulnerable Code:** ``` # Bad: Tag can be updated to point to different image FROM nginx:1.24.0 FROM ubuntu:latest # Especially bad - very mutable # These can all change over time FROM node:18 FROM python:3.11-slim ``` --- ### DOCKER-AUD-003: Privileged Port Exposed - Severity: MEDIUM | CWE: CWE-250 - Language: docker | Category: audit - URL: https://codepathfinder.dev/registry/docker/audit/DOCKER-AUD-003 - Detection: pathfinder scan --ruleset docker/DOCKER-AUD-003 --project . Exposing port below 1024 typically requires root privileges to bind. Consider using non-privileged ports (>1024) with port mapping or granting CAP_NET_BIND_SERVICE capability. **Vulnerable Code:** ``` FROM ubuntu:22.04 RUN apt-get update && \ apt-get install -y --no-install-recommends nginx && \ rm -rf /var/lib/apt/lists/* # Bad: Requires root to bind EXPOSE 80 CMD ["nginx", "-g", "daemon off;"] ``` --- ### DOCKER-BP-001: Base Image Uses :latest Tag - Severity: MEDIUM | CWE: CWE-1188 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-001 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-001 --project . Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible. **Vulnerable Code:** ``` # Bad: Uses implicit :latest tag FROM ubuntu # Bad: Explicit :latest tag FROM python:latest # Bad: Missing digest verification FROM node:18-alpine # Multiple stages with :latest FROM maven:latest AS builder FROM openjdk:latest ``` --- ### DOCKER-BP-003: Deprecated MAINTAINER Instruction - Severity: INFO | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-003 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-003 --project . MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Deprecated: Old-style maintainer MAINTAINER John Doe RUN apt-get update && apt-get install -y nginx CMD ["nginx", "-g", "daemon off;"] ``` --- ### DOCKER-BP-005: apt-get Without --no-install-recommends - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-005 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-005 --project . apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: Installs nginx + 50+ recommended packages RUN apt-get update && \ apt-get install -y nginx curl # This pulls in: # - X11 libraries (for desktop apps, not needed in containers) # - Documentation packages # - Example/demo files # - Optional utilities ``` --- ### DOCKER-BP-006: Avoid apt-get upgrade - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-006 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-006 --project . Avoid apt-get upgrade in Dockerfiles. Use specific base image versions instead. **Vulnerable Code:** ``` FROM ubuntu:latest RUN apt-get update && apt-get upgrade -y # ❌ Bad practice ``` --- ### DOCKER-BP-007: apk add Without --no-cache - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-007 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-007 --project . apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB. **Vulnerable Code:** ``` FROM alpine:3.19 # Bad: Leaves package cache in image RUN apk update RUN apk add \ nginx \ curl \ ca-certificates # Cache files remain in /var/cache/apk/* # Adds 2-5 MB of unnecessary data ``` --- ### DOCKER-BP-008: pip install Without --no-cache-dir - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-008 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-008 --project . pip install without --no-cache-dir. Pip cache remains in image, adding 50-200 MB depending on dependencies. **Vulnerable Code:** ``` FROM python:3.11-slim WORKDIR /app COPY requirements.txt . # Bad: Retains pip cache RUN pip install -r requirements.txt # Cache remains in /root/.cache/pip/ # Adds 50-200 MB depending on dependencies ``` --- ### DOCKER-BP-009: Avoid dnf update - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-009 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-009 --project . Avoid 'dnf update' in Dockerfiles. Use specific base image versions for reproducible builds. **Vulnerable Code:** ``` FROM fedora:latest RUN dnf update -y # Bad: Unpredictable, non-reproducible builds RUN dnf install -y nginx ``` --- ### DOCKER-BP-010: Missing pipefail in Shell Commands - Severity: MEDIUM | CWE: CWE-703 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-010 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-010 --project . RUN instruction uses pipes without 'set -o pipefail'. This masks failures in piped commands. **Vulnerable Code:** ``` RUN wget -O - https://example.com | tar xz # ❌ wget failure ignored ``` --- ### DOCKER-BP-011: Prefer COPY Over ADD - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-011 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-011 --project . Use COPY instead of ADD for simple file operations. ADD has implicit behavior that can be surprising. **Vulnerable Code:** ``` FROM ubuntu:22.04 ADD app.tar.gz /app/ ADD https://example.com/file /tmp/ ``` --- ### DOCKER-BP-012: Missing yum clean all - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-012 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-012 --project . RUN instruction uses 'yum install' without 'yum clean all'. This leaves package cache and increases image size. **Vulnerable Code:** ``` FROM centos:8 # Bad: Leaves yum cache, increases image size RUN yum install -y nginx ``` --- ### DOCKER-BP-013: Missing dnf clean all - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-013 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-013 --project . RUN uses 'dnf install' without 'dnf clean all'. This increases image size. **Vulnerable Code:** ``` FROM fedora:38 # Bad: Leaves dnf cache, increases image size RUN dnf install -y nginx ``` --- ### DOCKER-BP-014: Remove apt Package Lists - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-014 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-014 --project . apt-get install without removing /var/lib/apt/lists/*. This wastes image space. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: Leaves package lists, increases image size RUN apt-get update && apt-get install -y nginx ``` --- ### DOCKER-BP-015: Missing Image Version - Severity: HIGH | CWE: CWE-1188 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-015 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-015 --project . FROM instruction uses 'latest' tag or no tag. Specify explicit versions for reproducible builds. **Vulnerable Code:** ``` FROM ubuntu # No tag = latest FROM nginx:latest # Explicit latest ``` --- ### DOCKER-BP-016: Prefer JSON Notation for CMD/ENTRYPOINT - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-016 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-016 --project . Use JSON notation (exec form) for CMD/ENTRYPOINT for proper signal handling. **Vulnerable Code:** ``` FROM nginx:alpine # Bad: Shell form - signals not handled correctly CMD nginx -g "daemon off;" ENTRYPOINT /app/start.sh ``` --- ### DOCKER-BP-017: Use WORKDIR Instead of cd - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-017 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-017 --project . Use WORKDIR instruction instead of 'cd' in RUN commands. **Vulnerable Code:** ``` FROM node:18 COPY . . # Bad: cd doesn't persist, must chain all commands RUN cd /app && npm install RUN cd /app && npm build # Must repeat cd ``` --- ### DOCKER-BP-018: Use Absolute Path in WORKDIR - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-018 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-018 --project . WORKDIR should use absolute paths starting with /. **Vulnerable Code:** ``` FROM node:18 # Bad: Relative path - where is this relative to? WORKDIR app WORKDIR src # Now at some-unknown-path/app/src ``` --- ### DOCKER-BP-019: Avoid zypper update - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-019 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-019 --project . Avoid 'zypper update' in Dockerfiles. Use specific base image versions for reproducible builds. **Vulnerable Code:** ``` FROM opensuse/leap:latest RUN zypper update -y # Bad: Unpredictable, non-reproducible builds RUN zypper install -y nginx ``` --- ### DOCKER-BP-020: Missing zypper clean - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-020 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-020 --project . RUN uses 'zypper install' without 'zypper clean'. This increases image size. **Vulnerable Code:** ``` FROM opensuse/leap:15.4 # Bad: Leaves zypper cache, increases image size RUN zypper install -y nginx ``` --- ### DOCKER-BP-021: Missing -y flag for apt-get - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-021 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-021 --project . apt-get install without -y flag. Add -y or --yes for non-interactive builds. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: Missing -y flag # Build will hang waiting for user confirmation RUN apt-get update RUN apt-get install nginx curl # This will fail in CI/CD pipelines ``` --- ### DOCKER-BP-022: Missing HEALTHCHECK Instruction - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-022 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-022 --project . No HEALTHCHECK instruction. Container health cannot be monitored by orchestrators, reducing reliability and observability. **Vulnerable Code:** ``` FROM python:3.11-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . # No HEALTHCHECK - orchestrator cannot detect app failures CMD ["python", "app.py"] ``` --- ### DOCKER-BP-023: Prefer apt-get over apt - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-023 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-023 --project . Use apt-get instead of apt for better script stability in Dockerfiles. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: apt is for interactive use, unstable in scripts RUN apt update && apt install -y nginx ``` --- ### DOCKER-BP-024: Install Only One of wget or curl - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-024 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-024 --project . Installing both wget and curl wastes space. Choose one tool for downloads. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: Installing both wget and curl wastes space RUN apt-get update && apt-get install -y wget curl ``` --- ### DOCKER-BP-025: Missing -y flag for yum - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-025 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-025 --project . yum install without -y flag. Add -y for non-interactive builds. **Vulnerable Code:** ``` FROM centos:7 # Bad: Missing -y flag # Build will hang waiting for confirmation RUN yum install httpd mod_ssl ``` --- ### DOCKER-BP-026: Missing -y flag for dnf - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-026 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-026 --project . dnf install without -y flag. Add -y for non-interactive builds. **Vulnerable Code:** ``` FROM fedora:39 # Bad: Missing -y flag # Build will hang waiting for confirmation RUN dnf install nginx ``` --- ### DOCKER-BP-027: Avoid --platform Flag with FROM - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-027 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-027 --project . FROM with --platform flag reduces portability. Let Docker handle platform selection. **Vulnerable Code:** ``` # Bad: Hardcoded platform prevents portability FROM --platform=linux/amd64 ubuntu:22.04 RUN apt-get update && apt-get install -y nginx ``` --- ### DOCKER-BP-028: Avoid apk upgrade - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-028 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-028 --project . Avoid 'apk upgrade' in Dockerfiles. Use specific base image versions instead for reproducible builds. **Vulnerable Code:** ``` FROM alpine:3.19 # Bad: Using apk upgrade # Makes builds non-reproducible RUN apk update && apk upgrade RUN apk add nginx ``` --- ### DOCKER-BP-029: Avoid yum update - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-029 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-029 --project . Avoid 'yum update' in Dockerfiles. Use specific base image versions for reproducible builds. **Vulnerable Code:** ``` FROM centos:latest RUN yum update -y # Bad: Unpredictable, non-reproducible builds RUN yum install -y httpd ``` --- ### DOCKER-BP-030: Nonsensical Command - Severity: LOW | CWE: CWE-710 - Language: docker | Category: best-practice - URL: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-030 - Detection: pathfinder scan --ruleset docker/DOCKER-BP-030 --project . RUN command uses 'cd' which doesn't persist. Use WORKDIR instead. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: cd in chain is confusing and pointless RUN apt-get update && cd /tmp && apt-get install -y nginx RUN mkdir /app; cd /app; touch file.txt ``` --- ### DOCKER-COR-001: Multiple ENTRYPOINT Instructions - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: correctness - URL: https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-001 - Detection: pathfinder scan --ruleset docker/DOCKER-COR-001 --project . Dockerfile has multiple ENTRYPOINT instructions. Only the last one takes effect, making earlier ones misleading. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: Multiple ENTRYPOINTs - only last one is used ENTRYPOINT ["/bin/sh"] # Ignored silently ENTRYPOINT ["/usr/bin/python3"] # Ignored silently ENTRYPOINT ["/app/start.sh"] # Only this one takes effect ``` --- ### DOCKER-COR-002: Invalid Port Number - Severity: HIGH | CWE: CWE-20 - Language: docker | Category: correctness - URL: https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-002 - Detection: pathfinder scan --ruleset docker/DOCKER-COR-002 --project . EXPOSE instruction has invalid port number. Valid ports are 1-65535. **Vulnerable Code:** ``` EXPOSE 0 EXPOSE 70000 ``` --- ### DOCKER-COR-003: Multiple CMD Instructions - Severity: MEDIUM | CWE: CWE-710 - Language: docker | Category: correctness - URL: https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-003 - Detection: pathfinder scan --ruleset docker/DOCKER-COR-003 --project . Multiple CMD instructions detected. Only the last one takes effect. **Vulnerable Code:** ``` FROM ubuntu:22.04 # Bad: Multiple CMDs - only last one is used CMD ["echo", "first"] # Ignored silently CMD ["python3", "app.py"] # Ignored silently CMD ["nginx", "-g", "daemon off;"] # Only this one takes effect ``` --- ### DOCKER-SEC-001: Container Running as Root - Missing USER - Severity: HIGH | CWE: CWE-250 - Language: docker | Category: security - URL: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-001 - Detection: pathfinder scan --ruleset docker/DOCKER-SEC-001 --project . Dockerfile does not specify USER instruction. Container will run as root by default, which increases the attack surface if the container is compromised. **Vulnerable Code:** ``` FROM ubuntu:22.04 # No USER instruction - container runs as root RUN apt-get update && apt-get install -y nginx COPY app /app CMD ["nginx", "-g", "daemon off;"] ``` --- ### DOCKER-SEC-005: Secret in Build Argument - Severity: CRITICAL | CWE: CWE-538 - Language: docker | Category: security - URL: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-005 - Detection: pathfinder scan --ruleset docker/DOCKER-SEC-005 --project . Build argument name suggests it contains a secret. ARG values are visible in image history via 'docker history'. **Vulnerable Code:** ``` FROM python:3.11-slim # CRITICAL VULNERABILITY: Secret in build arg ARG API_KEY ARG DATABASE_PASSWORD ARG GITHUB_TOKEN ARG AWS_SECRET_ACCESS_KEY # These secrets are now permanently in the image! RUN pip install --index-url=https://user:${GITHUB_TOKEN}@github.com/ my-private-package RUN echo "DB_PASS=${DATABASE_PASSWORD}" > /app/config.ini ``` --- ### DOCKER-SEC-006: Docker Socket Mounted as Volume - Severity: CRITICAL | CWE: CWE-250 - Language: docker | Category: security - URL: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-006 - Detection: pathfinder scan --ruleset docker/DOCKER-SEC-006 --project . Dockerfile mounts Docker socket. This gives the container full control over the host Docker daemon, equivalent to root access. **Vulnerable Code:** ``` FROM docker:latest # CRITICAL: Exposes Docker socket as volume VOLUME ["/var/run/docker.sock"] # This container can now control the host Docker daemon CMD ["docker", "ps"] ``` --- ### DOCKER-SEC-007: Sudo Usage in Dockerfile - Severity: MEDIUM | CWE: CWE-250 - Language: docker | Category: security - URL: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-007 - Detection: pathfinder scan --ruleset docker/DOCKER-SEC-007 --project . Dockerfile uses sudo in RUN instructions. This is unnecessary during build (already root) and increases security risk if sudo remains in the final image. Use USER instruction for privilege changes instead. **Vulnerable Code:** ``` FROM ubuntu:latest # Installing sudo (unnecessary and dangerous) RUN apt-get update && apt-get install -y sudo # Using sudo in RUN (redundant - already root) RUN sudo apt-get install -y nginx # Creating sudoers file (privilege escalation risk) RUN echo "appuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers USER appuser # Now attacker with access can easily become root CMD ["sudo", "/bin/bash"] ``` --- ## Docker-compose Rules (10) ### COMPOSE-SEC-001: Service Running in Privileged Mode - Severity: CRITICAL | CWE: CWE-250 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-001 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-001 --project . Service is running in privileged mode. This grants container equivalent of root capabilities on the host machine. Can lead to container escapes and privilege escalation. **Vulnerable Code:** ``` version: '3.8' services: # CRITICAL SECURITY ISSUE docker_runner: image: gitlab/gitlab-runner:latest privileged: true # DANGEROUS! volumes: - /var/run/docker.sock:/var/run/docker.sock ``` --- ### COMPOSE-SEC-002: Docker Socket Exposed to Container - Severity: CRITICAL | CWE: CWE-250 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-002 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-002 --project . Service mounts Docker socket. The owner of this socket is root. Giving container access to it is equivalent to giving unrestricted root access to host. **Vulnerable Code:** ``` version: '3.8' services: # CRITICAL SECURITY ISSUE portainer: image: portainer/portainer-ce volumes: - /var/run/docker.sock:/var/run/docker.sock # DANGEROUS! ports: - "9000:9000" ``` --- ### COMPOSE-SEC-003: Seccomp Confinement Disabled - Severity: HIGH | CWE: CWE-284 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-003 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-003 --project . Service disables seccomp profile. Container can use all system calls, increasing attack surface. **Vulnerable Code:** ``` version: '3.8' services: app: image: myapp security_opt: - seccomp:unconfined # DANGEROUS - Allows all syscalls ``` --- ### COMPOSE-SEC-006: Container Filesystem is Writable - Severity: LOW | CWE: CWE-732 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-006 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-006 --project . Service has writable root filesystem. Consider making it read-only for better security. **Vulnerable Code:** ``` services: web: image: nginx # Writable filesystem (default) - can be modified by attackers ``` --- ### COMPOSE-SEC-007: Using Host Network Mode - Severity: HIGH | CWE: CWE-250 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-007 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-007 --project . Service uses host network mode. Container shares host network stack, bypassing network isolation. **Vulnerable Code:** ``` services: app: image: myapp network_mode: host # DANGEROUS - No network isolation ``` --- ### COMPOSE-SEC-008: Dangerous Capability Added - Severity: HIGH | CWE: CWE-250 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-008 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-008 --project . Service adds dangerous capability. These capabilities can be used for container escape or privilege escalation. **Vulnerable Code:** ``` services: app: image: myapp cap_add: - SYS_ADMIN # DANGEROUS - Can escape container - NET_ADMIN # RISKY - Full network control ``` --- ### COMPOSE-SEC-009: Using Host PID Mode - Severity: HIGH | CWE: CWE-250 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-009 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-009 --project . Service uses host PID namespace. Container can see and potentially signal host processes. **Vulnerable Code:** ``` services: monitor: image: monitoring-tool pid: host # DANGEROUS - Can see and signal all host processes ``` --- ### COMPOSE-SEC-010: Using Host IPC Mode - Severity: MEDIUM | CWE: CWE-250 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-010 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-010 --project . Service uses host IPC namespace. Container shares inter-process communication with host. **Vulnerable Code:** ``` services: app: image: myapp ipc: host # Shares IPC namespace with host ``` --- ### COMPOSE-SEC-011: Missing no-new-privileges Security Option - Severity: MEDIUM | CWE: CWE-732 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-011 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-011 --project . Service does not have no-new-privileges security option. Without this, processes inside the container can gain additional privileges via setuid binaries or capability escalation. **Vulnerable Code:** ``` version: '3' services: web: image: nginx # Missing no-new-privileges - VULNERABLE # Attacker can exploit setuid binaries user: www-data ``` --- ### COMPOSE-SEC-012: SELinux Separation Disabled - Severity: MEDIUM | CWE: CWE-732 - Language: docker-compose | Category: security - URL: https://codepathfinder.dev/registry/docker-compose/security/COMPOSE-SEC-012 - Detection: pathfinder scan --ruleset docker-compose/COMPOSE-SEC-012 --project . Service has label:disable in security_opt, which disables SELinux mandatory access control. This removes an important defense-in-depth layer for container isolation. **Vulnerable Code:** ``` version: '3' services: web: image: nginx security_opt: - label:disable # CRITICAL: Disables SELinux protection # Container can now bypass SELinux MAC controls ``` --- ## Golang Rules (21) ### GO-CRYPTO-001: Use of MD5 Weak Hash Algorithm - Severity: HIGH | CWE: CWE-328, CWE-916 | OWASP: A02:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-CRYPTO-001 - Detection: pathfinder scan --ruleset golang/GO-CRYPTO-001 --project . Detects use of MD5 (crypto/md5) which is cryptographically broken — collision attacks are feasible in seconds and GPU cracking reaches 164 billion hashes/second. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-CRYPTO-001 positive test cases — all SHOULD be detected package main import "crypto/md5" func weakMD5New() []byte { h := md5.New() // SINK: MD5 is collision-broken h.Write([]byte("data")) return h.Sum(nil) } func weakMD5Sum() { data := []byte("important data") hash := md5.Sum(data) // SINK: MD5 weak hash _ = hash } # --- file: go.mod --- module example.com/go-crypto-001/positive go 1.21 # --- file: go.sum --- ``` --- ### GO-CRYPTO-002: Use of SHA1 Weak Hash Algorithm - Severity: HIGH | CWE: CWE-328 | OWASP: A02:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-CRYPTO-002 - Detection: pathfinder scan --ruleset golang/GO-CRYPTO-002 --project . Detects use of SHA1 (crypto/sha1) which has a proven collision (SHAttered, 2017) and is deprecated by NIST for all applications through 2030. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-CRYPTO-002 positive test cases — all SHOULD be detected package main import "crypto/sha1" func weakSHA1New() { h := sha1.New() // SINK: SHA1 collision attack known h.Write([]byte("data")) _ = h.Sum(nil) } func weakSHA1Sum() { hash := sha1.Sum([]byte("data")) // SINK: SHA1 weak hash _ = hash } # --- file: go.mod --- module example.com/go-crypto-002/positive go 1.21 # --- file: go.sum --- ``` --- ### GO-CRYPTO-003: Use of DES or 3DES Weak Cipher - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-CRYPTO-003 - Detection: pathfinder scan --ruleset golang/GO-CRYPTO-003 --project . Detects use of DES/3DES (crypto/des) — DES uses a 56-bit key exhausted in 22 hours (1999); 3DES is vulnerable to the SWEET32 birthday attack and disallowed by NIST after December 31, 2023. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-CRYPTO-003 positive test cases — all SHOULD be detected package main import "crypto/des" func brokenDES() { key := []byte("12345678") _, _ = des.NewCipher(key) // SINK: DES 56-bit key, brute-forceable } func brokenTripleDES() { key := make([]byte, 24) _, _ = des.NewTripleDESCipher(key) // SINK: 3DES deprecated } # --- file: go.mod --- module example.com/go-crypto-003/positive go 1.21 # --- file: go.sum --- ``` --- ### GO-CRYPTO-004: Use of RC4 Stream Cipher - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-CRYPTO-004 - Detection: pathfinder scan --ruleset golang/GO-CRYPTO-004 --project . Detects use of RC4 (crypto/rc4) which is prohibited in TLS by RFC 7465 (2015), has known statistical keystream biases, and is labeled "cryptographically broken" in the Go standard library. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-CRYPTO-004 positive test cases — all SHOULD be detected package main import "crypto/rc4" func brokenRC4Cipher() { key := []byte("secretkey") _, _ = rc4.NewCipher(key) // SINK: RC4 banned in TLS } # --- file: go.mod --- module example.com/go-crypto-004/positive go 1.21 # --- file: go.sum --- ``` --- ### GO-CRYPTO-005: MD5 Used for Password Hashing - Severity: CRITICAL | CWE: CWE-916, CWE-327, CWE-328 | OWASP: A02:2021, A07:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-CRYPTO-005 - Detection: pathfinder scan --ruleset golang/GO-CRYPTO-005 --project . MD5 hash output flows into password-related functions — MD5 runs at 164 billion hashes/second on a single GPU, making any MD5-hashed password database crackable in seconds to minutes. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-CRYPTO-005 positive test cases — all SHOULD be detected package main import ( "crypto/md5" "fmt" ) // savePassword stores a hashed password — name matches *password* sink pattern func savePassword(hash string) { fmt.Println("stored:", hash) } // storeUserPassword demonstrates MD5 output flowing into a password-named function func storeUserPassword(username, plaintext string) { sum := md5.Sum([]byte(plaintext)) // SOURCE: md5 hash output savePas ``` --- ### GO-GORM-SQLI-001: SQL Injection via GORM Raw/Exec - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-GORM-SQLI-001 - Detection: pathfinder scan --ruleset golang/GO-GORM-SQLI-001 --project . User-controlled input flows into GORM Raw() or Exec() raw SQL methods without parameterization — GORM's ORM safety guarantees do not apply to Raw/Exec with string concatenation. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-GORM-SQLI-001 positive test cases — all SHOULD be detected package main import ( "net/http" "github.com/gin-gonic/gin" "gorm.io/gorm" ) func gormExecInjection(db *gorm.DB, c *gin.Context) { id := c.Param("id") // source db.Exec("DELETE FROM sessions WHERE user_id = " + id) // SINK: standalone Exec } func gormRawWithStringConcat(db *gorm.DB, r *http.Request) { search := r.FormValue("search") ``` --- ### GO-GORM-SQLI-002: SQL Injection via GORM Query Builder Methods - Severity: HIGH | CWE: CWE-89 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-GORM-SQLI-002 - Detection: pathfinder scan --ruleset golang/GO-GORM-SQLI-002 --project . User-controlled input flows into GORM query builder methods (Order, Where, Group, Having) that accept raw SQL string fragments — GORM does not escape these clause arguments. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-GORM-SQLI-002 positive test cases — all SHOULD be detected package main import ( "net/http" "github.com/gin-gonic/gin" "gorm.io/gorm" ) func gormOrderInjection(db *gorm.DB, c *gin.Context) { sort := c.Query("sort") // source db.Order(sort) // SINK: ORDER BY injection } func gormWhereInjection(db *gorm.DB, r *http.Request) { filter := r.FormValue("filter") // source db.Where(filter) // SINK: WHERE injection } func gormGroup ``` --- ### GO-JWT-002: JWT Parsed Without Signature Verification - Severity: HIGH | CWE: CWE-345, CWE-347 | OWASP: A08:2021, A07:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-JWT-002 - Detection: pathfinder scan --ruleset golang/GO-JWT-002 --project . jwt.ParseUnverified() skips signature validation entirely — any attacker can forge arbitrary JWT claims (sub, role, admin) without knowing the signing key. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-JWT-002 positive test cases — all SHOULD be detected package main import ( "net/http" jwt "github.com/golang-jwt/jwt/v5" ) func jwtParseUnverified(r *http.Request) { tokenStr := r.Header.Get("Authorization") parser := jwt.NewParser() // SINK: ParseUnverified skips signature check — forged tokens accepted token, _, _ := parser.ParseUnverified(tokenStr, &jwt.MapClaims{}) _ = token } func jwtParseUnverifiedRaw() { tokenStr := "eyJhbGciOiJub25lIn0.eyJh ``` --- ### GO-NET-001: HTTP Server Without TLS - Severity: HIGH | CWE: CWE-319 | OWASP: A02:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-NET-001 - Detection: pathfinder scan --ruleset golang/GO-NET-001 --project . Detects http.ListenAndServe() starting an unencrypted HTTP server — all traffic including credentials and session tokens travels in plaintext, interceptable by any network observer. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-NET-001 positive test cases — all SHOULD be detected package main import "net/http" func insecureHTTPServer() { mux := http.NewServeMux() // SINK: plaintext HTTP — credentials exposed to network http.ListenAndServe(":8080", mux) } func insecureHTTPServerNilHandler() { // SINK: nil handler uses DefaultServeMux http.ListenAndServe(":9090", nil) } # --- file: go.mod --- module example.com/go-net-001/positive go 1.21 # --- file: go.sum --- ``` --- ### GO-NET-002: gRPC Client Without TLS - Severity: HIGH | CWE: CWE-300, CWE-319 | OWASP: A02:2021, A07:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-NET-002 - Detection: pathfinder scan --ruleset golang/GO-NET-002 --project . Detects gRPC client using grpc.WithInsecure() or grpc.WithNoTLS() which disables transport encryption — all RPC calls including auth tokens and payloads travel in plaintext. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-NET-002 positive test cases — all SHOULD be detected package main import "google.golang.org/grpc" func grpcInsecureClient() { addr := "backend:50051" // SINK: WithInsecure disables all transport security conn, _ := grpc.Dial(addr, grpc.WithInsecure()) defer conn.Close() } func grpcInsecureOption() { // SINK: grpc.WithInsecure() as standalone option opts := []grpc.DialOption{ grpc.WithInsecure(), } conn, _ := grpc.Dial("service:9090", opts...) def ``` --- ### GO-PATH-001: Path Traversal via HTTP Input - Severity: HIGH | CWE: CWE-22 | OWASP: A01:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-PATH-001 - Detection: pathfinder scan --ruleset golang/GO-PATH-001 --project . User-controlled HTTP input reaches file system operations without path validation — filepath.Clean() alone is insufficient; filepath.Join("/uploads", "/etc/passwd") returns "/etc/passwd" in Go. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-PATH-001 positive test cases — all SHOULD be detected package main import ( "net/http" "os" "path/filepath" "github.com/gin-gonic/gin" ) func pathTraversalReadFile(w http.ResponseWriter, r *http.Request) { filename := r.FormValue("file") // source content, _ := os.ReadFile("/var/uploads/" + filename) // SINK: path traversal w.Write(content) } func pathTraversalOpen(w http.ResponseWriter, r *http.Request) { path := r.FormValu ``` --- ### GO-REDIRECT-001: Open Redirect via User-Controlled URL - Severity: HIGH | CWE: CWE-601 | OWASP: A01:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-REDIRECT-001 - Detection: pathfinder scan --ruleset golang/GO-REDIRECT-001 --project . User-controlled input flows into HTTP redirect functions without URL validation — open redirect enables phishing, OAuth token theft, and malware distribution via trusted-domain URLs. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-REDIRECT-001 positive test cases — all SHOULD be detected package main import ( "net/http" "github.com/gin-gonic/gin" "github.com/labstack/echo/v4" ) func openRedirectFormValue(w http.ResponseWriter, r *http.Request) { next := r.FormValue("next") http.Redirect(w, r, next, http.StatusFound) // SINK } func openRedirectReferer(w http.ResponseWriter, r *http.Request) { referer := r.Referer() http.Redirect(w, r, referer, http.StatusSeeOther) // SINK } f ``` --- ### GO-SEC-001: SQL Injection via database/sql - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-SEC-001 - Detection: pathfinder scan --ruleset golang/GO-SEC-001 --project . User-controlled input reaches database/sql query methods without parameterization, enabling SQL injection — ranked **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-SEC-001 positive test cases — all SHOULD be detected package main import ( "database/sql" "net/http" "github.com/gin-gonic/gin" ) func sqlInjectionQuery(w http.ResponseWriter, r *http.Request) { db, _ := sql.Open("postgres", "") id := r.FormValue("id") // source db.Query("SELECT * FROM users WHERE id = " + id) // SINK: SQL injection } func sqlInjectionExec(w http.ResponseWriter, r *http.Request) { db, _ := s ``` --- ### GO-SEC-002: OS Command Injection via HTTP Input - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-SEC-002 - Detection: pathfinder scan --ruleset golang/GO-SEC-002 --project . User-controlled HTTP request input reaches os/exec command execution — the critical pattern is exec.Command("sh", "-c", userInput) which enables full shell injection with metacharacters. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-SEC-002 positive test cases — all SHOULD be detected package main import ( "net/http" "os/exec" "github.com/gin-gonic/gin" ) func commandInjectionFilename(w http.ResponseWriter, r *http.Request) { filename := r.FormValue("file") // source cmd := exec.Command("convert", filename) // SINK: user controls argument cmd.Run() } func commandInjectionViaGin(c *gin.Context) { model := c.Query("model") // source exec.Comma ``` --- ### GO-SEC-004: Hardcoded Credentials in Source Code - Severity: HIGH | CWE: CWE-798, CWE-259, CWE-321 | OWASP: A07:2021, A02:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-SEC-004 - Detection: pathfinder scan --ruleset golang/GO-SEC-004 --project . Detects credential-named variables (password, secret, api_key, token) being assigned or passed as arguments — hardcoded secrets are exposed in git history, compiled binaries, container images, and CI/CD logs. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-SEC-004 positive test cases — credential-named variables passed to functions package main import "database/sql" // Credential-named variables flowing into function calls — SHOULD be detected func hardcodedDBPassword(db *sql.DB) { password := "super_secret_123" // hardcoded credential db.Exec("ALTER USER admin PASSWORD ?", password) // variable 'password' as arg } func hardcodedAPIKey() { apikey := "sk-1234567890abcdef" // hardcode ``` --- ### GO-SQLI-003: SQL Injection via sqlx - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-SQLI-003 - Detection: pathfinder scan --ruleset golang/GO-SQLI-003 --project . User-controlled input reaches sqlx query methods without parameterization — sqlx's convenience wrappers (Get, Select, NamedExec) are also vulnerable when used with raw string concatenation. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-SQLI-003 positive test cases — all SHOULD be detected package main import ( "net/http" "github.com/gin-gonic/gin" "github.com/jmoiron/sqlx" ) func sqlxInjectionGet(db *sqlx.DB, r *http.Request) { username := r.FormValue("user") // source db.Get(nil, "SELECT * FROM users WHERE name = '"+username+"'") // SINK } func sqlxInjectionSelect(db *sqlx.DB, r *http.Request) { col := r.FormValue("col") ``` --- ### GO-SSRF-001: Server-Side Request Forgery via go-resty HTTP Client - Severity: HIGH | CWE: CWE-918 | OWASP: A10:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-SSRF-001 - Detection: pathfinder scan --ruleset golang/GO-SSRF-001 --project . User-controlled input flows into go-resty HTTP client calls without URL validation, enabling SSRF attacks that steal cloud metadata credentials or probe internal services. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-SSRF-001 positive test cases — all SHOULD be detected package main import ( "net/http" "github.com/gin-gonic/gin" ) func ssrfViaGet(c *gin.Context) { target := c.Query("url") // source http.Get(target) // SINK: user controls outbound URL } func ssrfViaFormValue(w http.ResponseWriter, r *http.Request) { target := r.FormValue("target") // source http.Get(target) // SINK: SSRF } func ssrfViaPost( ``` --- ### GO-SSRF-002: SSRF via Outbound net/http Client Calls - Severity: HIGH | CWE: CWE-918 | OWASP: A10:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-SSRF-002 - Detection: pathfinder scan --ruleset golang/GO-SSRF-002 --project . User-controlled input flows into net/http standard library client methods without URL validation, enabling SSRF attacks against internal services and cloud metadata endpoints. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-SSRF-002 positive test cases — all SHOULD be detected package main import ( "net/http" "github.com/gin-gonic/gin" ) func ssrfHTTPGet(c *gin.Context) { url := c.Query("url") // source http.Get(url) // SINK: user-controlled outbound request } func ssrfHTTPPost(w http.ResponseWriter, r *http.Request) { endpoint := r.FormValue("endpoint") // source http.Post(endpoint, "application/json", nil) // SINK } func ssrfHTTPClientDo(c *gin. ``` --- ### GO-XSS-001: XSS via Unsafe html/template Type Conversions - Severity: HIGH | CWE: CWE-79, CWE-116 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-XSS-001 - Detection: pathfinder scan --ruleset golang/GO-XSS-001 --project . User input cast to template.HTML, template.CSS, template.JS, or template.URL bypasses Go's context-aware auto-escaping, allowing raw attacker payload to reach the browser. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-XSS-001 positive test cases — all SHOULD be detected package main import ( "html/template" "net/http" ) func xssTemplateHTML(w http.ResponseWriter, r *http.Request) { name := r.FormValue("name") // source safe := template.HTML(name) // SINK: bypasses auto-escaping _ = safe } func xssTemplateCSS(w http.ResponseWriter, r *http.Request) { style := r.FormValue("style") // source safe := template.CSS(style) // SINK: CSS injection ``` --- ### GO-XSS-002: XSS via fmt.Fprintf to http.ResponseWriter - Severity: HIGH | CWE: CWE-79, CWE-116 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-XSS-002 - Detection: pathfinder scan --ruleset golang/GO-XSS-002 --project . User input flows into fmt.Fprintf/Fprintln/Fprint writing directly to ResponseWriter — fmt functions perform no HTML escaping, any user-controlled format argument renders as raw HTML in the browser. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-XSS-002 positive test cases — all SHOULD be detected package main import ( "fmt" "net/http" ) func xssFprintfDirect(w http.ResponseWriter, r *http.Request) { query := r.FormValue("q") // source fmt.Fprintf(w, "

Results: %s

", query) // SINK: unescaped output } func xssFprintlnDirect(w http.ResponseWriter, r *http.Request) { msg := r.FormValue("msg") // source fmt.Fprintln(w, "

"+msg+"

") // SINK } func xs ``` --- ### GO-XSS-003: XSS via io.WriteString to http.ResponseWriter - Severity: HIGH | CWE: CWE-79, CWE-116 | OWASP: A03:2021 - Language: golang | Category: security - URL: https://codepathfinder.dev/registry/golang/security/GO-XSS-003 - Detection: pathfinder scan --ruleset golang/GO-XSS-003 --project . User input flows into io.WriteString writing directly to ResponseWriter without HTML escaping — io.WriteString is a raw byte writer that performs no HTML neutralization. **Vulnerable Code:** ``` # --- file: vulnerable.go --- // GO-XSS-003 positive test cases — all SHOULD be detected package main import ( "io" "net/http" ) func xssIOWriteString(w http.ResponseWriter, r *http.Request) { name := r.FormValue("name") // source io.WriteString(w, "

Hello, "+name+"

") // SINK: unescaped write } func xssIOWriteStringReferer(w http.ResponseWriter, r *http.Request) { referer := r.Referer() // source: Referer header io.WriteString(w, referer) // SINK: r ``` --- ## Python Rules (143) ### PYTHON-CRYPTO-SEC-001: RC4 (ARC4) Cipher Usage via cryptography Library - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-001 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-001 --project . Detects use of the RC4 stream cipher through the cryptography library's ARC4 algorithm, which has known keystream biases and is prohibited by RFC 7465. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms from cryptography.hazmat.backends import default_backend # ARC4/RC4 is a broken stream cipher with known biases arc4_key = b'\x00' * 16 cipher = Cipher(algorithms.ARC4(arc4_key), mode=None, backend=default_backend()) encryptor = cipher.encryptor() ciphertext = encryptor.update(b"secret data") ``` --- ### PYTHON-CRYPTO-SEC-001a: RC4 (ARC4) Cipher Usage via PyCryptodome - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-001a - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-001a --project . Detects use of the RC4 stream cipher through PyCryptodome's ARC4 module, which has known keystream biases and is prohibited by RFC 7465. **Vulnerable Code:** ``` from Crypto.Cipher import ARC4 # PyCryptodome ARC4/RC4 — same broken cipher, different library rc4 = ARC4.new(b'secret_key') ciphertext = rc4.encrypt(b"secret data") ``` --- ### PYTHON-CRYPTO-SEC-002: Blowfish Cipher Usage via cryptography Library - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-002 --project . Detects use of the Blowfish cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend # Blowfish has a 64-bit block size vulnerable to birthday attacks bf_key = b'\x00' * 16 cipher = Cipher(algorithms.Blowfish(bf_key), modes.CBC(b'\x00' * 8), backend=default_backend()) ``` --- ### PYTHON-CRYPTO-SEC-002a: Blowfish Cipher Usage via PyCryptodome - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-002a - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-002a --project . Detects use of the Blowfish cipher through PyCryptodome, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data. **Vulnerable Code:** ``` from Crypto.Cipher import Blowfish bf = Blowfish.new(b'secret_key_16by', Blowfish.MODE_CBC, b'\x00' * 8) ``` --- ### PYTHON-CRYPTO-SEC-003: IDEA Cipher Usage via cryptography Library - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-003 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-003 --project . Detects use of the IDEA cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks and is deprecated in modern cryptographic standards. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend idea_key = b'\x00' * 16 cipher = Cipher(algorithms.IDEA(idea_key), modes.CBC(b'\x00' * 8), backend=default_backend()) ``` --- ### PYTHON-CRYPTO-SEC-004: RC2 (ARC2) Cipher Usage via PyCryptodome - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-004 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-004 --project . Detects use of the RC2/ARC2 cipher through PyCryptodome, which has a weak key schedule and an effective key length that can be reduced to 40 bits by protocol negotiation, making it vulnerable to brute-force attacks. **Vulnerable Code:** ``` from Crypto.Cipher import ARC2 rc2 = ARC2.new(b'secret_key_16by', ARC2.MODE_CBC, b'\x00' * 8) ``` --- ### PYTHON-CRYPTO-SEC-005: DES Cipher Usage via PyCryptodome - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-005 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-005 --project . Detects use of single DES through PyCryptodome, which has only a 56-bit key that has been publicly brute-forceable since 1999 and is disallowed by FIPS 46-3 (withdrawn 2005). **Vulnerable Code:** ``` from Crypto.Cipher import DES des = DES.new(b'8byteky', DES.MODE_CBC, b'\x00' * 8) ``` --- ### PYTHON-CRYPTO-SEC-005a: Triple DES (3DES) Cipher Usage via PyCryptodome - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-005a - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-005a --project . Detects use of Triple DES (3DES) through PyCryptodome, which has a 64-bit block size vulnerable to Sweet32 birthday attacks and was deprecated by NIST after 2023. **Vulnerable Code:** ``` from Crypto.Cipher import DES3 des3 = DES3.new(b'sixteen_byte_key_24b', DES3.MODE_CBC, b'\x00' * 8) ``` --- ### PYTHON-CRYPTO-SEC-006: XOR Cipher Usage via PyCryptodome - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-006 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-006 --project . Detects use of the XOR cipher through PyCryptodome, which is not encryption -- it is a weak cipher that provides no real confidentiality. XOR encryption is trivially breakable regardless of key and should never be used for protecting sensitive data. **Vulnerable Code:** ``` from Crypto.Cipher import XOR xor = XOR.new(b'secret') ciphertext = xor.encrypt(b'data') ``` --- ### PYTHON-CRYPTO-SEC-010: Insecure MD5 Hash (cryptography) - Severity: MEDIUM | CWE: CWE-327, CWE-328 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-010 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-010 --project . MD5 is cryptographically broken due to collision attacks since 2004. Use SHA-256 or SHA-3 instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # SEC-010: MD5 in cryptography lib digest = hashes.Hash(hashes.MD5(), backend=default_backend()) ``` --- ### PYTHON-CRYPTO-SEC-011: Insecure SHA1 Hash (cryptography) - Severity: MEDIUM | CWE: CWE-327, CWE-328 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-011 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-011 --project . SHA-1 was broken by the SHAttered collision attack in 2017 and is deprecated by NIST for all digital signature uses. Use SHA-256 or SHA-3 instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # SEC-011: SHA1 in cryptography lib digest_sha1 = hashes.Hash(hashes.SHA1(), backend=default_backend()) ``` --- ### PYTHON-CRYPTO-SEC-012: Insecure MD5 Hash (PyCryptodome) - Severity: MEDIUM | CWE: CWE-327, CWE-328 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-012 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-012 --project . MD5 is cryptographically broken due to practical collision attacks since 2004. Use SHA-256 or SHA-3 via PyCryptodome instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # SEC-012: MD5 in PyCryptodome from Crypto.Hash import MD5 h_md5 = MD5.new(b"data") ``` --- ### PYTHON-CRYPTO-SEC-013: Insecure MD4 Hash (PyCryptodome) - Severity: HIGH | CWE: CWE-327, CWE-328 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-013 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-013 --project . MD4 has been completely broken since 1995 with full collisions computable in seconds. It has no legitimate security use. Use SHA-256 or SHA-3 instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # SEC-013: MD4 in PyCryptodome from Crypto.Hash import MD4 h_md4 = MD4.new(b"data") ``` --- ### PYTHON-CRYPTO-SEC-014: Insecure MD2 Hash (PyCryptodome) - Severity: HIGH | CWE: CWE-327, CWE-328 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-014 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-014 --project . MD2 is an obsolete 1989 algorithm with known preimage attacks, extremely poor performance, and no valid modern use case. Use SHA-256 or SHA-3 instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # SEC-014: MD2 in PyCryptodome from Crypto.Hash import MD2 h_md2 = MD2.new(b"data") ``` --- ### PYTHON-CRYPTO-SEC-015: Insecure SHA1 Hash (PyCryptodome) - Severity: MEDIUM | CWE: CWE-327, CWE-328 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-015 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-015 --project . SHA-1 was broken by the SHAttered collision attack in 2017 and is deprecated by NIST for digital signatures. Use SHA-256 or SHA-3 via PyCryptodome instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # SEC-015: SHA1 in PyCryptodome from Crypto.Hash import SHA h_sha = SHA.new(b"data") ``` --- ### PYTHON-CRYPTO-SEC-020: Insufficient RSA Key Size (cryptography lib) - Severity: HIGH | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-020 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-020 --project . RSA key size is less than 2048 bits. NIST minimum is 2048 bits; 3072+ recommended for new systems. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.asymmetric import rsa private_key = rsa.generate_private_key(public_exponent=65537, key_size=1024) ``` --- ### PYTHON-CRYPTO-SEC-021: Insufficient DSA Key Size (cryptography lib) - Severity: HIGH | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-021 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-021 --project . DSA key size is less than 2048 bits. NIST SP 800-131A requires 2048-bit minimum. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec from cryptography.hazmat.backends import default_backend # SEC-021: DSA key generation (audit) dsa_key = dsa.generate_private_key( key_size=1024, backend=default_backend() ) ``` --- ### PYTHON-CRYPTO-SEC-022: EC Key Generation Audit (cryptography lib) - Severity: MEDIUM | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-022 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-022 --project . Audit all EC key generation calls — verify the curve is SECP256R1, SECP384R1, or stronger. Weak curves like SECP192R1 must not be used. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec from cryptography.hazmat.backends import default_backend # SEC-022: EC key generation (audit) ec_key = ec.generate_private_key( ec.SECP192R1(), backend=default_backend() ) ``` --- ### PYTHON-CRYPTO-SEC-023: Insufficient RSA Key Size (PyCryptodome) - Severity: HIGH | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-023 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-023 --project . RSA key size is less than 3072 bits in PyCryptodome. Use RSA.generate(3072) or higher. **Vulnerable Code:** ``` from Crypto.PublicKey import RSA key = RSA.generate(1024) ``` --- ### PYTHON-CRYPTO-SEC-024: Insufficient DSA Key Size (PyCryptodome) - Severity: HIGH | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-024 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-024 --project . DSA key size is less than 2048 bits in PyCryptodome. Use DSA.generate(2048) or higher. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec from cryptography.hazmat.backends import default_backend # SEC-024: DSA in PyCryptodome (audit) from Crypto.PublicKey import DSA dsa_key_pc = DSA.generate(1024) ``` --- ### PYTHON-CRYPTO-SEC-030: ECB Mode Usage (cryptography lib) - Severity: HIGH | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-030 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-030 --project . ECB mode is deterministic and leaks plaintext patterns. Use AES-GCM or AES-CTR+HMAC instead. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend from Crypto.Cipher import AES # SEC-030: ECB mode ecb_cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=default_backend()) ``` --- ### PYTHON-CRYPTO-SEC-031: Unauthenticated Cipher Mode Audit (cryptography lib) - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-031 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-031 --project . CBC/CTR/CFB/OFB mode detected — these modes provide confidentiality but NOT authentication. Verify HMAC is applied or migrate to GCM. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend from Crypto.Cipher import AES # SEC-031: CBC mode (unauthenticated - audit) cbc_cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) aes_cbc = AES.new(key, AES.MODE_CBC, iv) ``` --- ### PYTHON-CRYPTO-SEC-032: AES Cipher Mode Audit (PyCryptodome) - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: cryptography - URL: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-032 - Detection: pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-032 --project . Audit all AES.new() calls — verify the cipher mode is MODE_GCM, MODE_EAX, MODE_SIV, or MODE_CCM. Unauthenticated modes (MODE_ECB, MODE_CBC without HMAC) must not be used. **Vulnerable Code:** ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend from Crypto.Cipher import AES aes_cbc = AES.new(key, AES.MODE_CBC, iv) ``` --- ### PYTHON-DESER-001: Unsafe Pickle Deserialization - Severity: CRITICAL | CWE: CWE-502 - Language: python | Category: deserialization - URL: https://codepathfinder.dev/registry/python/deserialization/PYTHON-DESER-001 - Detection: pathfinder scan --ruleset python/PYTHON-DESER-001 --project . Unsafe pickle deserialization: Untrusted data flows to pickle.loads() which can execute arbitrary code. Use json.loads() instead. **Vulnerable Code:** ``` import pickle from flask import Flask, request app = Flask(__name__) @app.route('/api/load_data', methods=['POST']) def load_user_data(): """ CRITICAL VULNERABILITY: Deserializing untrusted pickle data! """ # Source: User-controlled input serialized_data = request.data # Sink: Unsafe deserialization user_data = pickle.loads(serialized_data) # RCE here! return {'data': user_data} # Attack: # POST /api/load_data # Body: # Result: Arb ``` --- ### PYTHON-DJANGO-SEC-001: Django SQL Injection via cursor.execute() - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-001 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-001 --project . User input flows to cursor.execute() without parameterization, enabling SQL injection attacks. **Vulnerable Code:** ``` from django.db import connection from django.db.models.expressions import RawSQL from django.http import HttpRequest # SEC-001: cursor.execute with request data def vulnerable_cursor(request): user_id = request.GET.get('id') cursor = connection.cursor() query = f"SELECT * FROM users WHERE id = {user_id}" cursor.execute(query) return cursor.fetchone() ``` --- ### PYTHON-DJANGO-SEC-002: Django SQL Injection via QuerySet.raw() - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-002 --project . User input flows to QuerySet.raw() without parameterization, enabling SQL injection through Django's ORM raw query interface. **Vulnerable Code:** ``` from django.db import connection from django.db.models.expressions import RawSQL from django.http import HttpRequest # SEC-002: ORM .raw() with request data def vulnerable_raw(request): name = request.POST.get('name') users = User.objects.raw(f"SELECT * FROM users WHERE name = '{name}'") return users ``` --- ### PYTHON-DJANGO-SEC-003: Django SQL Injection via QuerySet.extra() - Severity: HIGH | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-003 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-003 --project . User input flows to QuerySet.extra() without parameterization, enabling SQL injection through Django's legacy ORM extension interface. **Vulnerable Code:** ``` from django.db import connection from django.db.models.expressions import RawSQL from django.http import HttpRequest # SEC-003: ORM .extra() with request data def vulnerable_extra(request): where_clause = request.GET.get('filter') results = Article.objects.extra(where=[where_clause]) return results ``` --- ### PYTHON-DJANGO-SEC-004: Django SQL Injection via RawSQL Expression - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-004 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-004 --project . User input flows to RawSQL() expression without parameterization, enabling SQL injection through Django's annotation system. **Vulnerable Code:** ``` from django.db import connection from django.db.models.expressions import RawSQL from django.http import HttpRequest # SEC-004: RawSQL expression with request data def vulnerable_rawsql(request): order = request.GET.get('order') expr = RawSQL(f"SELECT * FROM products ORDER BY {order}", []) return expr ``` --- ### PYTHON-DJANGO-SEC-005: Raw SQL Usage Audit via RawSQL Expression - Severity: MEDIUM | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-005 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-005 --project . RawSQL() expression detected. Audit this usage to confirm parameterized queries are used for all user-controlled values. **Vulnerable Code:** ``` from django.db import connection from django.db.models.expressions import RawSQL from django.http import HttpRequest # SEC-005: Raw SQL usage (audit) def audit_rawsql(): expr = RawSQL("SELECT 1", []) return expr ``` --- ### PYTHON-DJANGO-SEC-006: Django Tainted SQL String Construction - Severity: HIGH | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-006 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-006 --project . User input is used to construct a SQL string that flows to a database execution function, enabling SQL injection via string building. **Vulnerable Code:** ``` from django.db import connection from django.db.models.expressions import RawSQL from django.http import HttpRequest # SEC-006: Tainted SQL string (same as SEC-001 pattern) def vulnerable_tainted_sql(request): search = request.GET.get('q') query = "SELECT * FROM items WHERE name LIKE '%" + search + "%'" cursor = connection.cursor() cursor.execute(query) return cursor.fetchall() ``` --- ### PYTHON-DJANGO-SEC-010: Django Command Injection via os.system() - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-010 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-010 --project . User input flows to os.system(), enabling arbitrary OS command execution with the privileges of the Django process. **Vulnerable Code:** ``` import os import subprocess # SEC-010: os.system with request data def vulnerable_os_system(request): filename = request.GET.get('file') os.system(f"cat {filename}") cmd = request.POST.get('command') subprocess.call(cmd, shell=True) host = request.GET.get('host') proc = subprocess.Popen(f"ping {host}", shell=True) return proc.communicate() ``` --- ### PYTHON-DJANGO-SEC-011: Django Command Injection via subprocess - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-011 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-011 --project . User input flows to subprocess with shell=True or as a string command, enabling OS command injection. **Vulnerable Code:** ``` import os import subprocess filename = request.GET.get('file') os.system(f"cat {filename}") cmd = request.POST.get('command') subprocess.call(cmd, shell=True) host = request.GET.get('host') proc = subprocess.Popen(f"ping {host}", shell=True) return proc.communicate() ``` --- ### PYTHON-DJANGO-SEC-020: Django Code Injection via eval() - Severity: CRITICAL | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-020 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-020 --project . User input flows to eval(), enabling arbitrary Python code execution on the server. **Vulnerable Code:** ``` # SEC-020: eval with request data def vulnerable_eval(request): expr = request.GET.get('expr') result = eval(expr) return result code = request.POST.get('code') exec(code) func_name = request.GET.get('func') func = globals().get(func_name) return func() ``` --- ### PYTHON-DJANGO-SEC-021: Django Code Injection via exec() - Severity: CRITICAL | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-021 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-021 --project . User input flows to exec(), enabling arbitrary Python statement execution on the server. **Vulnerable Code:** ``` expr = request.GET.get('expr') result = eval(expr) return result # SEC-021: exec with request data def vulnerable_exec(request): code = request.POST.get('code') exec(code) func_name = request.GET.get('func') func = globals().get(func_name) return func() ``` --- ### PYTHON-DJANGO-SEC-022: Django globals() Misuse for Arbitrary Code Execution - Severity: HIGH | CWE: CWE-94 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-022 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-022 --project . User input is used to index globals(), enabling arbitrary function dispatch and potential code execution. **Vulnerable Code:** ``` expr = request.GET.get('expr') result = eval(expr) return result code = request.POST.get('code') exec(code) # SEC-022: globals misuse def vulnerable_globals(request): func_name = request.GET.get('func') func = globals().get(func_name) return func() ``` --- ### PYTHON-DJANGO-SEC-030: Django SSRF via requests Library - Severity: HIGH | CWE: CWE-918 | OWASP: A10:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-030 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-030 --project . User input flows to requests.get/post/put/delete/head(), enabling the server to make HTTP requests to attacker-controlled URLs. **Vulnerable Code:** ``` import requests def fetch_url(request): url = request.GET.get('url') resp = requests.get(url) return resp.text ``` --- ### PYTHON-DJANGO-SEC-031: Django SSRF via urllib - Severity: HIGH | CWE: CWE-918 | OWASP: A10:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-031 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-031 --project . User input flows to urllib.request.urlopen() or urllib.request.Request(), enabling the server to make HTTP requests to attacker-controlled URLs. **Vulnerable Code:** ``` from urllib.request import urlopen def fetch_url(request): url = request.GET.get('url') resp = urlopen(url) return resp.read() ``` --- ### PYTHON-DJANGO-SEC-041: Django Path Traversal via os.path.join() - Severity: HIGH | CWE: CWE-22 | OWASP: A01:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-041 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-041 --project . User input flows to os.path.join() leading to file operations, enabling path traversal to access files outside the intended directory. **Vulnerable Code:** ``` import os # SEC-040: path traversal via open def vulnerable_open(request): filename = request.GET.get('file') with open(filename) as f: return f.read() # SEC-041: path traversal via os.path.join def vulnerable_path_join(request): user_path = request.GET.get('path') full_path = os.path.join('/uploads', user_path) with open(full_path) as f: return f.read() ``` --- ### PYTHON-DJANGO-SEC-050: Django XSS via Direct HttpResponse with User Input - Severity: HIGH | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-050 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-050 --project . User input flows directly to HttpResponse without HTML escaping, enabling Cross-Site Scripting (XSS) attacks. **Vulnerable Code:** ``` from django.http import HttpResponse, HttpResponseBadRequest from django.utils.safestring import mark_safe, SafeString from django.utils.html import html_safe # SEC-050: HttpResponse with request data def vulnerable_httpresponse(request): name = request.GET.get('name') return HttpResponse(f"Hello {name}") def vulnerable_httpresponse_bad(request): msg = request.GET.get('error') return HttpResponseBadRequest(msg) ``` --- ### PYTHON-DJANGO-SEC-051: Django mark_safe() Usage Audit - Severity: MEDIUM | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-051 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-051 --project . mark_safe() bypasses Django's automatic HTML escaping. Audit all usages to confirm content is properly sanitized before being marked safe. **Vulnerable Code:** ``` from django.http import HttpResponse, HttpResponseBadRequest from django.utils.safestring import mark_safe, SafeString from django.utils.html import html_safe # SEC-051: mark_safe (audit) def risky_mark_safe(): content = "" return mark_safe(content) ``` --- ### PYTHON-DJANGO-SEC-053: Django SafeString Subclass Audit - Severity: MEDIUM | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-053 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-053 --project . Class extends SafeString or SafeData, bypassing Django's auto-escaping for all instances. Audit to confirm the class properly sanitizes content. **Vulnerable Code:** ``` from django.http import HttpResponse, HttpResponseBadRequest from django.utils.safestring import mark_safe, SafeString from django.utils.html import html_safe # SEC-053: SafeString subclass (audit) custom = SafeString("bold") ``` --- ### PYTHON-DJANGO-SEC-060: Django XSS in HTML Email Body via EmailMessage - Severity: MEDIUM | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-060 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-060 --project . User input flows into HTML email body content without sanitization, enabling HTML injection in emails. **Vulnerable Code:** ``` from django.core.mail import EmailMessage, send_mail body = request.POST.get('message') email = EmailMessage("Subject", body, "from@test.com", ["to@test.com"]) email.content_subtype = "html" email.send() content = request.POST.get('body') send_mail("Subject", "text body", "from@test.com", ["to@test.com"], html_message=content) ``` --- ### PYTHON-DJANGO-SEC-061: Django XSS in send_mail html_message Parameter - Severity: MEDIUM | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-061 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-061 --project . User input flows into the html_message parameter of send_mail() without sanitization, enabling HTML injection in emails. **Vulnerable Code:** ``` from django.core.mail import EmailMessage, send_mail body = request.POST.get('message') email = EmailMessage("Subject", body, "from@test.com", ["to@test.com"]) email.content_subtype = "html" email.send() # SEC-061: XSS in send_mail html_message content = request.POST.get('body') send_mail("Subject", "text body", "from@test.com", ["to@test.com"], html_message=content) ``` --- ### PYTHON-DJANGO-SEC-070: Django Insecure Cookie Settings via set_cookie() - Severity: MEDIUM | CWE: CWE-614, CWE-1004 | OWASP: A05:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-070 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-070 --project . Cookie set without secure, httponly, or samesite flags, making it vulnerable to interception, XSS-based theft, and CSRF attacks. **Vulnerable Code:** ``` import pickle import yaml from django.views.decorators.csrf import csrf_exempt # SEC-070: insecure cookies def set_insecure_cookie(request): response = HttpResponse("OK") response.set_cookie("session_id", "abc123") return response ``` --- ### PYTHON-DJANGO-SEC-072: Django Insecure Deserialization of Request Data - Severity: CRITICAL | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-072 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-072 --project . User input flows to unsafe deserialization functions (pickle, yaml.load, dill, shelve), enabling arbitrary code execution during deserialization. **Vulnerable Code:** ``` import pickle import yaml from django.views.decorators.csrf import csrf_exempt # SEC-072: insecure deserialization def vulnerable_pickle(request): data = request.POST.get('data') obj = pickle.loads(data) return obj def vulnerable_yaml(request): content = request.POST.get('config') obj = yaml.load(content) return obj ``` --- ### PYTHON-DJANGO-SEC-080: Django Empty Password in set_password() - Severity: HIGH | CWE: CWE-521, CWE-258 | OWASP: A07:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-080 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-080 --project . Empty string passed to set_password() creates an account with no password protection. Use None or set_unusable_password() instead. **Vulnerable Code:** ``` from django.contrib.auth.models import User # SEC-080: set_password with empty string def reset_password_empty(user): user.set_password("") user.save() # SEC-081: POST data flowing to set_password user.set_password(password) user.save() ``` --- ### PYTHON-DJANGO-SEC-081: Django Default Empty Password Value via flows() - Severity: HIGH | CWE: CWE-521, CWE-287 | OWASP: A07:2021 - Language: python | Category: django - URL: https://codepathfinder.dev/registry/python/django/PYTHON-DJANGO-SEC-081 - Detection: pathfinder scan --ruleset python/PYTHON-DJANGO-SEC-081 --project . request.POST.get('password', '') with empty string default flows to set_password(), potentially setting an empty password when the field is omitted. **Vulnerable Code:** ``` from django.contrib.auth.models import User # SEC-080: set_password with empty string def reset_password_empty(user): user.set_password("") user.save() # SEC-081: POST data flowing to set_password password = request.POST.get('password') user = User.objects.get(id=1) user.set_password(password) user.save() ``` --- ### PYTHON-FLASK-001: Flask Debug Mode Enabled - Severity: HIGH | CWE: CWE-489 | OWASP: A05:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-001 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-001 --project . Detects Flask applications started with debug=True, which enables the interactive Werkzeug debugger and must never run in production. **Vulnerable Code:** ``` from flask import Flask, request app = Flask(__name__) @app.route('/api/users') def get_users(): # Some application logic return {'users': [...]} if __name__ == '__main__': # DANGEROUS: Debug mode enabled app.run(debug=True) # Vulnerable! # Also vulnerable: # app.debug = True # app.run() # Or via config: # app.config['DEBUG'] = True ``` --- ### PYTHON-FLASK-AUDIT-003: Flask Bound to All Interfaces - Severity: MEDIUM | CWE: CWE-668 | OWASP: A05:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-AUDIT-003 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-AUDIT-003 --project . Detects Flask applications binding the development server to 0.0.0.0, exposing it to every network interface instead of localhost only. **Vulnerable Code:** ``` from flask import Flask app = Flask(__name__) app.run(host="0.0.0.0") ``` --- ### PYTHON-FLASK-AUDIT-004: Flask CORS Wildcard Origin - Severity: MEDIUM | CWE: CWE-942 | OWASP: A05:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-AUDIT-004 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-AUDIT-004 --project . Detects Flask-CORS configured with origins="*", allowing any domain to make cross-origin requests to the application. **Vulnerable Code:** ``` from flask import Flask from flask_cors import CORS app = Flask(__name__) CORS(app, origins="*") ``` --- ### PYTHON-FLASK-AUDIT-005: Flask url_for with _external=True - Severity: LOW | CWE: CWE-601 | OWASP: A01:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-AUDIT-005 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-AUDIT-005 --project . Detects url_for() called with _external=True, which generates absolute URLs using the Host header and can be abused for open redirect or host header injection attacks. **Vulnerable Code:** ``` from flask import Flask, url_for app = Flask(__name__) @app.route('/link') def get_link(): return url_for('index', _external=True) ``` --- ### PYTHON-FLASK-AUDIT-008: Flask render_template_string Usage - Severity: MEDIUM | CWE: CWE-1336 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-AUDIT-008 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-AUDIT-008 --project . Detects any use of render_template_string(), which renders Jinja2 templates from Python strings and is inherently adjacent to Server-Side Template Injection (SSTI) vulnerabilities. **Vulnerable Code:** ``` from flask import render_template_string render_template_string("

hello

") ``` --- ### PYTHON-FLASK-AUDIT-009: Flask Cookie Without Secure Flags - Severity: MEDIUM | CWE: CWE-614 | OWASP: A05:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-AUDIT-009 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-AUDIT-009 --project . Detects set_cookie() calls with secure=False or httponly=False, which expose session and authentication cookies to theft via network eavesdropping or JavaScript access. **Vulnerable Code:** ``` from flask import Flask, make_response app = Flask(__name__) @app.route('/setcookie') def setcookie(): resp = make_response("cookie set") resp.set_cookie('session', 'value', secure=False, httponly=False) return resp ``` --- ### PYTHON-FLASK-SEC-002: Flask Command Injection via subprocess - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-002 --project . User input from Flask request parameters flows to subprocess functions with shell=True or as a command string. Use list arguments without shell=True. **Vulnerable Code:** ``` from flask import Flask, request import subprocess app = Flask(__name__) @app.route('/run') def run_command(): cmd = request.form.get('cmd') result = subprocess.check_output(cmd, shell=True) return result ``` --- ### PYTHON-FLASK-SEC-003: Flask SQL Injection via Tainted String - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-003 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-003 --project . Finds user input reaching raw SQL queries in Flask apps where parameterized queries should be used instead. **Vulnerable Code:** ``` # --- file: app.py --- from flask import Flask, request from db import query_user app = Flask(__name__) @app.route('/user') def get_user(): username = request.args.get('username') result = query_user(username) return str(result) # --- file: db.py --- import sqlite3 def get_connection(): return sqlite3.connect('app.db') def query_user(name): conn = get_connection() cursor = conn.cursor() cursor.execute("SELECT * FROM users WHERE name = '" + name + "'") retu ``` --- ### PYTHON-FLASK-SEC-004: Flask Code Injection via eval() - Severity: CRITICAL | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-004 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-004 --project . User input from Flask request parameters flows to eval(). Replace with ast.literal_eval() for data parsing or json.loads() for structured input. **Vulnerable Code:** ``` from flask import Flask, request app = Flask(__name__) @app.route('/calc') def calculator(): expr = request.args.get('expr') result = eval(expr) return str(result) ``` --- ### PYTHON-FLASK-SEC-005: Flask Code Injection via exec() - Severity: CRITICAL | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-005 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-005 --project . User input from Flask request parameters flows to exec() or compile(). exec() cannot be safely sanitized -- redesign the feature to avoid dynamic code execution. **Vulnerable Code:** ``` from flask import Flask, request app = Flask(__name__) @app.route('/run_code') def run_code(): code = request.form.get('code') exec(code) return "executed" ``` --- ### PYTHON-FLASK-SEC-006: Flask SSRF via requests Library - Severity: HIGH | CWE: CWE-918 | OWASP: A10:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-006 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-006 --project . User input from Flask request parameters flows to outbound HTTP request URLs via the requests library. Validate and allowlist target hosts before making server-side requests. **Vulnerable Code:** ``` # --- file: app.py --- from flask import Flask, request from services import fetch_remote_data app = Flask(__name__) @app.route('/proxy') def proxy(): url = request.args.get('url') data = fetch_remote_data(url) return data # --- file: services.py --- import requests as http_requests def fetch_remote_data(endpoint): resp = http_requests.get(endpoint) return resp.text ``` --- ### PYTHON-FLASK-SEC-007: Flask Path Traversal via open() - Severity: HIGH | CWE: CWE-22 | OWASP: A01:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-007 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-007 --project . User input from Flask request parameters flows to open() or io.open() without path sanitization. Use werkzeug secure_filename() and verify the resolved path stays within the intended directory. **Vulnerable Code:** ``` from flask import Flask, request app = Flask(__name__) @app.route('/read') def read_file(): filename = request.args.get('file') content = open(filename, 'r').read() return content ``` --- ### PYTHON-FLASK-SEC-009: Flask CSV Injection - Severity: MEDIUM | CWE: CWE-1236 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-009 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-009 --project . User input from Flask request parameters flows to csv.writer.writerow() or writerows() without formula character sanitization. Strip or escape leading =, +, -, @ characters to prevent spreadsheet formula injection. **Vulnerable Code:** ``` from flask import Flask, request import csv, io app = Flask(__name__) @app.route('/export') def export_csv(): name = request.args.get('name') output = io.StringIO() writer = csv.writer(output) writer.writerow([name, "data"]) return output.getvalue() ``` --- ### PYTHON-FLASK-SEC-010: Flask NaN Injection via float() - Severity: LOW | CWE: CWE-704 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-010 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-010 --project . User input from Flask request parameters flows to float() which can produce NaN or Inf values. Validate and reject non-finite float values with math.isnan() and math.isinf(). **Vulnerable Code:** ``` from flask import Flask, request app = Flask(__name__) @app.route('/convert') def convert(): value = request.args.get('value') result = float(value) return str(result) ``` --- ### PYTHON-FLASK-SEC-011: Flask SSRF via Tainted URL Host - Severity: HIGH | CWE: CWE-918 | OWASP: A10:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-011 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-011 --project . User input from Flask request parameters is used to construct the host component of an outbound HTTP request URL. Validate the host against an explicit allowlist before making server-side requests. **Vulnerable Code:** ``` from flask import Flask, request import requests as http_requests app = Flask(__name__) @app.route('/api') def api_call(): host = request.args.get('host') url = "https://" + host + "/api/data" resp = http_requests.get(url) return resp.text ``` --- ### PYTHON-FLASK-SEC-012: Flask Open Redirect - Severity: MEDIUM | CWE: CWE-601 | OWASP: A01:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-012 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-012 --project . User input from Flask request parameters flows to redirect() without URL validation. Validate redirect targets against an allowlist or use url_for() to generate trusted application-internal URLs. **Vulnerable Code:** ``` from flask import Flask, request, redirect app = Flask(__name__) @app.route('/goto') def goto(): url = request.args.get('url') return redirect(url) @app.route('/redir') def redir(): next_page = request.form.get('next') return redirect(next_page) ``` --- ### PYTHON-FLASK-SEC-014: Flask Server-Side Template Injection (SSTI) - Severity: CRITICAL | CWE: CWE-1336 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-014 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-014 --project . User input from Flask request parameters flows to render_template_string() as part of the template source. Pass user data as template variables, never in the template string itself. **Vulnerable Code:** ``` # --- file: app.py --- from flask import Flask, request from renderer import render_greeting app = Flask(__name__) @app.route('/greet') def greet(): name = request.args.get('name') html = render_greeting(name) return html # --- file: renderer.py --- from flask import render_template_string def render_greeting(username): template = "

Hello " + username + "

" return render_template_string(template) ``` --- ### PYTHON-FLASK-SEC-017: Flask Insecure Static File Serve - Severity: MEDIUM | CWE: CWE-73 | OWASP: A01:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-017 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-017 --project . Detects use of send_file() and send_from_directory() which serve files from the server's file system and are vulnerable to path traversal when the filename argument comes from user input. **Vulnerable Code:** ``` from flask import Flask, request, send_from_directory app = Flask(__name__) @app.route('/files') def serve_file(): filename = request.args.get('file') return send_from_directory('/uploads', filename) ``` --- ### PYTHON-FLASK-SEC-018: Flask Hashids with Secret Key as Salt - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-SEC-018 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-SEC-018 --project . Detects Hashids initialized with app.secret_key as the salt, which exposes Flask's secret key because the Hashids salt is recoverable through cryptanalysis. **Vulnerable Code:** ``` from flask import Flask from hashids import Hashids app = Flask(__name__) app.secret_key = 'my-secret' hasher = Hashids(salt=app.secret_key) ``` --- ### PYTHON-FLASK-XSS-001: Flask Direct Use of Jinja2 - Severity: MEDIUM | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-XSS-001 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-XSS-001 --project . Detects direct use of jinja2.Environment or jinja2.Template, which bypasses Flask's automatic HTML autoescaping and can lead to XSS vulnerabilities. **Vulnerable Code:** ``` from jinja2 import Environment env = Environment(autoescape=False) ``` --- ### PYTHON-FLASK-XSS-002: Flask Explicit Unescape with Markup - Severity: MEDIUM | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: flask - URL: https://codepathfinder.dev/registry/python/flask/PYTHON-FLASK-XSS-002 - Detection: pathfinder scan --ruleset python/PYTHON-FLASK-XSS-002 --project . Detects use of Markup() or markupsafe.Markup() which marks strings as safe HTML, bypassing Jinja2's autoescaping and introducing XSS risk if applied to user-controlled content. **Vulnerable Code:** ``` from markupsafe import Markup html = Markup("hello") ``` --- ### PYTHON-JWT-SEC-001: JWT Hardcoded Secret - Severity: HIGH | CWE: CWE-798, CWE-522 | OWASP: A02:2021 - Language: python | Category: jwt - URL: https://codepathfinder.dev/registry/python/jwt/PYTHON-JWT-SEC-001 - Detection: pathfinder scan --ruleset python/PYTHON-JWT-SEC-001 --project . Finds jwt.encode() calls where the signing secret is a hardcoded string instead of a runtime configuration value. **Vulnerable Code:** ``` import jwt # Vulnerable: hardcoded string as JWT signing secret token = jwt.encode({"user": "admin"}, "hardcoded_secret", algorithm="HS256") # Vulnerable: another hardcoded secret auth_token = jwt.encode({"role": "superuser"}, "my_secret_key_123", algorithm="HS256") ``` --- ### PYTHON-JWT-SEC-002: JWT None Algorithm - Severity: CRITICAL | CWE: CWE-327, CWE-345 | OWASP: A02:2021 - Language: python | Category: jwt - URL: https://codepathfinder.dev/registry/python/jwt/PYTHON-JWT-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-JWT-SEC-002 --project . Detects jwt.encode() calls using algorithm='none', which creates unsigned tokens that anyone can forge. **Vulnerable Code:** ``` import jwt # Vulnerable: encode with algorithm="none" disables signature token = jwt.encode({"user": "admin"}, "", algorithm="none") # Vulnerable: using none algorithm with payload unsafe_token = jwt.encode({"role": "superuser"}, "key", algorithm="none") ``` --- ### PYTHON-JWT-SEC-003: Unverified JWT Decode - Severity: HIGH | CWE: CWE-287, CWE-345 | OWASP: A07:2021 - Language: python | Category: jwt - URL: https://codepathfinder.dev/registry/python/jwt/PYTHON-JWT-SEC-003 - Detection: pathfinder scan --ruleset python/PYTHON-JWT-SEC-003 --project . Detects jwt.decode() calls that may bypass signature verification, allowing tampered tokens to be accepted. **Vulnerable Code:** ``` import jwt # Vulnerable: decode with verify_signature=False bypasses integrity checks data = jwt.decode(token, "secret", options={"verify_signature": False}) # Vulnerable: using options dict variable opts = {"verify_signature": False, "verify_exp": False} payload = jwt.decode(token, key, options=opts) ``` --- ### PYTHON-JWT-SEC-004: JWT Exposed Credentials - Severity: MEDIUM | CWE: CWE-522, CWE-312 | OWASP: A02:2021, A04:2021 - Language: python | Category: jwt - URL: https://codepathfinder.dev/registry/python/jwt/PYTHON-JWT-SEC-004 - Detection: pathfinder scan --ruleset python/PYTHON-JWT-SEC-004 --project . Detects jwt.encode() calls where passwords or secrets may be included in the token payload, exposing them to anyone who reads the token. **Vulnerable Code:** ``` import jwt # Vulnerable: password stored in JWT payload (base64-encoded, not encrypted) payload = {"username": "admin", "password": "secret123", "role": "superuser"} token = jwt.encode(payload, "key", algorithm="HS256") # Vulnerable: credentials in payload user_token = jwt.encode({"email": "user@example.com", "password": "hunter2"}, SECRET, algorithm="HS256") ``` --- ### PYTHON-JWT-SEC-005: JWT User Input in Payload - Severity: LOW | CWE: CWE-522, CWE-200 | OWASP: A02:2021, A04:2021 - Language: python | Category: jwt - URL: https://codepathfinder.dev/registry/python/jwt/PYTHON-JWT-SEC-005 - Detection: pathfinder scan --ruleset python/PYTHON-JWT-SEC-005 --project . Traces user-controlled input from Flask/Django request parameters into jwt.encode() payloads using taint analysis. **Vulnerable Code:** ``` from flask import Flask, request import jwt app = Flask(__name__) @app.route('/token') def create_token(): # Vulnerable: user input flows directly into JWT payload user_data = request.args.get('user') return jwt.encode({"sub": user_data}, "key", algorithm="HS256") ``` --- ### PYTHON-LAMBDA-SEC-001: Lambda Command Injection via os.system() - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-001 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-001 --project . Lambda event data flows to os.system(), enabling arbitrary OS command execution inside the Lambda execution environment. **Vulnerable Code:** ``` import os import subprocess import asyncio # SEC-001: os.system with event data def handler_os_system(event, context): filename = event.get('filename') os.system(f"cat {filename}") return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-002: Lambda Command Injection via subprocess - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-002 --project . Lambda event data flows to subprocess with shell=True or as a string command, enabling OS command injection in the Lambda execution environment. **Vulnerable Code:** ``` import os import subprocess import asyncio # SEC-002: subprocess with event data def handler_subprocess(event, context): cmd = event.get('command') result = subprocess.call(cmd, shell=True) return {"statusCode": 200, "body": str(result)} def handler_subprocess_popen(event, context): host = event.get('host') proc = subprocess.Popen(f"ping {host}", shell=True) return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-003: Lambda Command Injection via os.spawn*() - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-003 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-003 --project . Lambda event data flows to os.spawn*() functions, enabling process execution with attacker-controlled arguments in the Lambda execution environment. **Vulnerable Code:** ``` import os import subprocess import asyncio # SEC-003: os.spawn with event data def handler_spawn(event, context): prog = event.get('program') os.spawnl(os.P_NOWAIT, prog, prog) return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-004: Lambda Command Injection via asyncio.create_subprocess_shell() - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-004 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-004 --project . Lambda event data flows to asyncio.create_subprocess_shell(), enabling OS command injection in async Lambda handlers. **Vulnerable Code:** ``` import os import subprocess import asyncio # SEC-004: asyncio shell async def handler_asyncio_shell(event, context): cmd = event.get('cmd') proc = await asyncio.create_subprocess_shell(cmd) return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-005: Lambda Command Injection via asyncio.create_subprocess_exec() - Severity: CRITICAL | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-005 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-005 --project . Lambda event data flows to asyncio.create_subprocess_exec(), enabling argument injection in async Lambda handlers. **Vulnerable Code:** ``` import os import subprocess import asyncio # SEC-005: asyncio exec async def handler_asyncio_exec(event, context): prog = event.get('program') proc = await asyncio.create_subprocess_exec(prog) return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-011: Lambda SQL Injection via psycopg2 cursor.execute() - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-011 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-011 --project . Lambda event data flows to psycopg2 cursor.execute() without parameterization, enabling SQL injection against RDS PostgreSQL or Aurora PostgreSQL backends. **Vulnerable Code:** ``` import json # SEC-011: psycopg2 def handler_psycopg2(event, context): import psycopg2 conn = psycopg2.connect("dbname=app") cursor = conn.cursor() name = event.get('name') cursor.execute(f"SELECT * FROM users WHERE name = '{name}'") return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-012: Lambda SQL Injection via pymssql cursor.execute() - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-012 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-012 --project . Lambda event data flows to pymssql cursor.execute() without parameterization, enabling SQL injection against RDS SQL Server backends. **Vulnerable Code:** ``` import pymssql def handler(event, context): user_id = event.get('user_id') conn = pymssql.connect(server='db', user='sa', password='pass', database='app') cursor = conn.cursor() cursor.execute("SELECT * FROM users WHERE id = '" + user_id + "'") return cursor.fetchall() ``` --- ### PYTHON-LAMBDA-SEC-013: Lambda SQL Injection via PyMySQL cursor.execute() - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-013 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-013 --project . Lambda event data flows to PyMySQL cursor.execute() without parameterization, enabling SQL injection against RDS MySQL or Aurora MySQL backends via the pure-Python driver. **Vulnerable Code:** ``` import pymysql def handler(event, context): search = event.get('search') conn = pymysql.connect(host='db', user='root', password='pass', database='app') cursor = conn.cursor() cursor.execute("SELECT * FROM products WHERE name LIKE '%" + search + "%'") return cursor.fetchall() ``` --- ### PYTHON-LAMBDA-SEC-014: Lambda SQL Injection via SQLAlchemy execute() - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-014 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-014 --project . Lambda event data flows to SQLAlchemy session.execute() or connection.execute() without bound parameters, enabling SQL injection against any RDS backend. **Vulnerable Code:** ``` import json # SEC-014: SQLAlchemy session.execute def handler_sqlalchemy(event, context): search = event.get('search') result = session.execute(f"SELECT * FROM items WHERE name = '{search}'") return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-015: Lambda Tainted SQL String Construction - Severity: HIGH | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-015 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-015 --project . Lambda event data is used in SQL string construction via f-strings or concatenation before being passed to a database execute call, enabling SQL injection. **Vulnerable Code:** ``` import json # SEC-015: tainted SQL string def handler_tainted_sql(event, context): table = event.get('table') query = "SELECT * FROM " + table cursor.execute(query) return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-016: Lambda DynamoDB FilterExpression Injection - Severity: HIGH | CWE: CWE-943 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-016 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-016 --project . Lambda event data flows to a DynamoDB FilterExpression string, enabling expression manipulation in serverless DynamoDB scan and query operations. **Vulnerable Code:** ``` import json # SEC-016: DynamoDB filter injection def handler_dynamodb(event, context): import boto3 table = boto3.resource('dynamodb').Table('users') filter_expr = event.get('filter') result = table.scan(FilterExpression=filter_expr) return {"statusCode": 200, "body": json.dumps(result)} ``` --- ### PYTHON-LAMBDA-SEC-020: Lambda XSS via Tainted HTML Response Body - Severity: HIGH | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-020 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-020 --project . Lambda event data is embedded directly in an HTML response body returned to API Gateway, enabling Cross-Site Scripting attacks against end users. **Vulnerable Code:** ``` import json import pickle # SEC-020: tainted HTML response def handler_html_response(event, context): name = event.get('name') body = f"Hello {name}" return { "statusCode": 200, "body": json.dumps({"html": body}), "headers": {"Content-Type": "text/html"} } ``` --- ### PYTHON-LAMBDA-SEC-022: Lambda Code Injection via eval() or exec() - Severity: CRITICAL | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-022 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-022 --project . Lambda event data flows to eval() or exec(), enabling arbitrary Python code execution with the full permissions of the Lambda execution environment. **Vulnerable Code:** ``` import json import pickle # SEC-022: exec with event data def handler_exec(event, context): code = event.get('code') exec(code) return {"statusCode": 200} ``` --- ### PYTHON-LAMBDA-SEC-023: Lambda Remote Code Execution via Pickle Deserialization - Severity: CRITICAL | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: aws_lambda - URL: https://codepathfinder.dev/registry/python/aws_lambda/PYTHON-LAMBDA-SEC-023 - Detection: pathfinder scan --ruleset python/PYTHON-LAMBDA-SEC-023 --project . Lambda event data flows to pickle.loads() or pickle.load(), enabling arbitrary Python code execution during deserialization of attacker-controlled bytes. **Vulnerable Code:** ``` import json import pickle # SEC-023: pickle deserialization def handler_pickle(event, context): data = event.get('payload') obj = pickle.loads(data) return {"statusCode": 200, "body": json.dumps(str(obj))} ``` --- ### PYTHON-LANG-SEC-001: Dangerous eval() Usage Detected - Severity: HIGH | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-001 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-001 --project . eval() executes arbitrary Python expressions from strings, enabling remote code execution when called with untrusted input. **Vulnerable Code:** ``` import code import importlib import typing # SEC-001: eval user_input = input("Enter expression: ") result = eval(user_input) ``` --- ### PYTHON-LANG-SEC-002: Dangerous exec() Usage Detected - Severity: HIGH | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-002 --project . exec() executes arbitrary Python statements from strings or code objects, enabling remote code execution when called with untrusted input. **Vulnerable Code:** ``` import code import importlib import typing # SEC-002: exec code_str = "print('hello')" exec(code_str) ``` --- ### PYTHON-LANG-SEC-003: Dangerous code.InteractiveConsole Usage - Severity: HIGH | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-003 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-003 --project . code.InteractiveConsole and code.interact() enable arbitrary Python code execution and should not be exposed to untrusted users. **Vulnerable Code:** ``` import code import importlib import typing # SEC-003: code.InteractiveConsole console = code.InteractiveConsole() code.interact() ``` --- ### PYTHON-LANG-SEC-004: Dangerous globals() Usage Detected - Severity: MEDIUM | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-004 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-004 --project . globals() exposes the module's global namespace as a mutable dictionary, allowing arbitrary attribute injection when passed to untrusted code. **Vulnerable Code:** ``` import code import importlib import typing # SEC-004: globals def render(template, **kwargs): return template.format(**globals()) ``` --- ### PYTHON-LANG-SEC-005: Non-literal Dynamic Import Detected - Severity: MEDIUM | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-005 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-005 --project . __import__() or importlib.import_module() with a non-literal argument can import arbitrary modules when called with untrusted input. **Vulnerable Code:** ``` import code import importlib import typing # SEC-005: non-literal import module_name = "os" mod = __import__(module_name) mod2 = importlib.import_module(module_name) ``` --- ### PYTHON-LANG-SEC-006: Dangerous typing.get_type_hints() Usage - Severity: MEDIUM | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-006 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-006 --project . typing.get_type_hints() evaluates string annotations as Python expressions, enabling code execution when annotation strings contain untrusted content. **Vulnerable Code:** ``` import code import importlib import typing # SEC-006: dangerous annotations class Foo: x: "eval('malicious')" = 1 hints = typing.get_type_hints(Foo) ``` --- ### PYTHON-LANG-SEC-010: Dangerous os.system() or os.popen() Call - Severity: HIGH | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-010 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-010 --project . os.system() and os.popen() execute shell commands via /bin/sh, enabling command injection when arguments contain untrusted input. **Vulnerable Code:** ``` import os os.system("rm -rf /tmp/cache") os.popen("ls -la") ``` --- ### PYTHON-LANG-SEC-011: Dangerous os.exec*() Call - Severity: HIGH | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-011 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-011 --project . os.exec*() replaces the current process image with a new program, enabling arbitrary program execution when arguments are untrusted. **Vulnerable Code:** ``` import os import socket os.execl("/bin/sh", "sh", "-c", "echo hello") ``` --- ### PYTHON-LANG-SEC-012: Dangerous os.spawn*() Call - Severity: HIGH | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-012 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-012 --project . os.spawn*() spawns a new process and can execute arbitrary programs when the executable path or arguments are derived from untrusted input. **Vulnerable Code:** ``` import os import socket os.spawnl(os.P_NOWAIT, "/bin/sh", "sh") ``` --- ### PYTHON-LANG-SEC-013: Shell Command with Wildcard Character - Severity: MEDIUM | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-013 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-013 --project . os.system() calls containing wildcard characters (*) may lead to unintended file inclusion or command injection through wildcard expansion. **Vulnerable Code:** ``` import os user_input = input("Enter command: ") os.system(user_input) ``` --- ### PYTHON-LANG-SEC-014: Python Reverse Shell Pattern Detected - Severity: CRITICAL | CWE: CWE-506 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-014 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-014 --project . Reverse shell pattern detected using socket connections with subprocess or exec(). This is a strong indicator of malicious code or a backdoor. **Vulnerable Code:** ``` import os import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ``` --- ### PYTHON-LANG-SEC-020: Dangerous subprocess Usage - Severity: HIGH | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-020 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-020 --project . subprocess calls detected. Ensure command arguments are not user-controlled to prevent OS command injection. **Vulnerable Code:** ``` import subprocess import asyncio # SEC-020: subprocess calls subprocess.call(["ls", "-la"]) subprocess.check_output("whoami", shell=True) subprocess.Popen("cat /etc/passwd", shell=True) subprocess.run("echo hello", shell=True) ``` --- ### PYTHON-LANG-SEC-021: subprocess Called with shell=True - Severity: HIGH | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-021 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-021 --project . subprocess called with shell=True passes the command through the system shell, enabling command injection when any part of the command contains untrusted input. **Vulnerable Code:** ``` import subprocess import asyncio # SEC-021: subprocess with shell=True subprocess.call("rm -rf /tmp/*", shell=True) subprocess.run("ls", shell=True) ``` --- ### PYTHON-LANG-SEC-022: Dangerous asyncio Shell Execution - Severity: HIGH | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-022 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-022 --project . asyncio.create_subprocess_shell() passes the command through the system shell, enabling command injection when arguments contain untrusted input. **Vulnerable Code:** ``` import subprocess import asyncio # SEC-022: asyncio shell async def run_cmd(): proc = await asyncio.create_subprocess_shell("ls -la") await proc.communicate() ``` --- ### PYTHON-LANG-SEC-023: Dangerous subinterpreters run_string() Usage - Severity: HIGH | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-023 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-023 --project . subinterpreters.run_string() executes arbitrary Python code strings in sub-interpreters, enabling code injection when called with untrusted input. **Vulnerable Code:** ``` import subprocess import asyncio # SEC-023: subinterpreters import _xxsubinterpreters _xxsubinterpreters.run_string("print('hello')") ``` --- ### PYTHON-LANG-SEC-030: Insecure MD5 Hash Usage - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-030 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-030 --project . MD5 is cryptographically broken and unsuitable for security-sensitive purposes. Use SHA-256 or SHA-3 instead. **Vulnerable Code:** ``` import hashlib digest = hashlib.md5(b"data").hexdigest() h = hashlib.md5() h.update(b"more data") ``` --- ### PYTHON-LANG-SEC-031: Insecure SHA-1 Hash Usage - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-031 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-031 --project . SHA-1 is cryptographically weak due to practical collision attacks. Use SHA-256 or SHA-3 for security-sensitive hashing. **Vulnerable Code:** ``` import hashlib sha1_hash = hashlib.sha1(b"data") ``` --- ### PYTHON-LANG-SEC-032: Insecure Hash via hashlib.new() - Severity: MEDIUM | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-032 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-032 --project . hashlib.new() with an insecure algorithm name (MD5, SHA1, SHA-224) creates a cryptographically weak hash. Use SHA-256 or SHA-3. **Vulnerable Code:** ``` import hashlib # SEC-032: hashlib.new with insecure algo h = hashlib.new("md5", b"data") ``` --- ### PYTHON-LANG-SEC-033: SHA-224 or SHA3-224 Weak Hash Usage - Severity: LOW | CWE: CWE-327 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-033 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-033 --project . SHA-224 and SHA3-224 provide only 112-bit collision resistance, which is below the 128-bit minimum recommended by NIST for new applications. **Vulnerable Code:** ``` import hashlib sha224_hash = hashlib.sha224(b"data") ``` --- ### PYTHON-LANG-SEC-034: MD5 Used for Password Hashing - Severity: HIGH | CWE: CWE-916 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-034 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-034 --project . MD5 is being used to hash passwords. MD5 is cryptographically broken and orders of magnitude too fast for password hashing. Use bcrypt, scrypt, or argon2. **Vulnerable Code:** ``` import hashlib password = "user_password" hashed = hashlib.md5(password.encode()).hexdigest() ``` --- ### PYTHON-LANG-SEC-040: Pickle Deserialization of Untrusted Data - Severity: HIGH | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-040 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-040 --project . pickle.loads() and pickle.load() execute arbitrary Python code during deserialization. Never unpickle data from untrusted sources. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-040: pickle data = pickle.loads(b"malicious") with open("data.pkl", "rb") as f: obj = pickle.load(f) unpickler = pickle.Unpickler(f) ``` --- ### PYTHON-LANG-SEC-041: PyYAML Unsafe Load Function - Severity: HIGH | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-041 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-041 --project . yaml.load() and yaml.unsafe_load() can execute arbitrary Python objects during YAML parsing. Use yaml.safe_load() instead. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-041: yaml unsafe load with open("config.yml") as f: config = yaml.load(f, Loader=yaml.FullLoader) unsafe = yaml.unsafe_load(f) ``` --- ### PYTHON-LANG-SEC-042: jsonpickle Deserialization Detected - Severity: HIGH | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-042 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-042 --project . jsonpickle.decode() can execute arbitrary Python code during deserialization. Use the standard json module for untrusted data. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-042: jsonpickle import jsonpickle decoded = jsonpickle.decode('{"py/object": "os.system"}') ``` --- ### PYTHON-LANG-SEC-043: ruamel.yaml Unsafe Loader Configuration - Severity: HIGH | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-043 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-043 --project . ruamel.yaml configured with typ='unsafe' can instantiate arbitrary Python objects during YAML parsing. Use typ='safe' or the default round-trip loader. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-043: ruamel.yaml unsafe from ruamel.yaml import YAML ym = YAML(typ="unsafe") ``` --- ### PYTHON-LANG-SEC-044: marshal Deserialization Detected - Severity: MEDIUM | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-044 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-044 --project . marshal.loads() and marshal.load() are not secure against erroneous or malicious data and should not be used to deserialize untrusted input. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-044: marshal code_obj = marshal.loads(b"data") ``` --- ### PYTHON-LANG-SEC-045: shelve Module Usage Detected - Severity: MEDIUM | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-045 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-045 --project . shelve.open() uses pickle internally for value serialization and is not safe for storing or retrieving data from untrusted sources. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-045: shelve db = shelve.open("mydb") ``` --- ### PYTHON-LANG-SEC-046: dill Deserialization Detected - Severity: HIGH | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-046 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-046 --project . dill.loads() and dill.load() extend pickle with broader serialization capabilities and can execute arbitrary code when deserializing untrusted data. **Vulnerable Code:** ``` import pickle import yaml import marshal import shelve # SEC-046: dill import dill obj = dill.loads(b"data") ``` --- ### PYTHON-LANG-SEC-050: Unverified SSL Context Created - Severity: HIGH | CWE: CWE-295 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-050 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-050 --project . ssl._create_unverified_context() disables certificate verification entirely, making TLS connections vulnerable to man-in-the-middle attacks. **Vulnerable Code:** ``` import ssl import http.client import requests as http_requests ctx = ssl._create_unverified_context() ``` --- ### PYTHON-LANG-SEC-051: Weak SSL/TLS Protocol Version - Severity: HIGH | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-051 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-051 --project . SSLContext configured with SSLv2, SSLv3, TLSv1.0, or TLSv1.1 uses deprecated protocols with known vulnerabilities. Use TLS 1.2 or TLS 1.3. **Vulnerable Code:** ``` import ssl import http.client import requests as http_requests ctx2 = ssl.SSLContext(ssl.PROTOCOL_SSLv2) ``` --- ### PYTHON-LANG-SEC-052: Deprecated ssl.wrap_socket() Usage - Severity: MEDIUM | CWE: CWE-326 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-052 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-052 --project . ssl.wrap_socket() is deprecated since Python 3.7 and should be replaced with SSLContext.wrap_socket() for proper TLS configuration. **Vulnerable Code:** ``` import ssl import http.client import requests as http_requests # SEC-052: deprecated wrap_socket wrapped = ssl.wrap_socket(sock) ``` --- ### PYTHON-LANG-SEC-053: Certificate Validation Disabled (verify=False) - Severity: HIGH | CWE: CWE-295 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-053 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-053 --project . TLS certificate validation is explicitly disabled via verify=False or CERT_NONE, making connections vulnerable to man-in-the-middle attacks. **Vulnerable Code:** ``` import ssl import http.client import requests as http_requests resp = http_requests.get("https://example.com", verify=False) ``` --- ### PYTHON-LANG-SEC-054: Insecure HTTP Connection via http.client - Severity: MEDIUM | CWE: CWE-319 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-054 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-054 --project . http.client.HTTPConnection transmits data in plaintext without encryption. Use HTTPSConnection for sensitive communications. **Vulnerable Code:** ``` import ssl import http.client import requests as http_requests conn = http.client.HTTPConnection("example.com") ``` --- ### PYTHON-LANG-SEC-060: HTTP Request Without TLS (requests library) - Severity: MEDIUM | CWE: CWE-319 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-060 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-060 --project . HTTP URLs in requests calls transmit data in plaintext without encryption. Use HTTPS URLs for sensitive data transmission. **Vulnerable Code:** ``` import requests as http_requests import urllib.request import ftplib import telnetlib # SEC-060: requests with HTTP resp = http_requests.get("http://example.com/api") http_requests.post("http://example.com/data", data={"key": "val"}) ``` --- ### PYTHON-LANG-SEC-061: Insecure urllib.request.urlopen() Usage - Severity: MEDIUM | CWE: CWE-319 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-061 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-061 --project . urllib.request.urlopen() over HTTP transmits data in plaintext. Verify HTTPS URLs are used and SSL context is properly configured. **Vulnerable Code:** ``` import requests as http_requests import urllib.request import ftplib import telnetlib # SEC-061: urllib insecure urllib.request.urlopen("http://example.com") urllib.request.urlretrieve("http://example.com/file", "local.txt") ``` --- ### PYTHON-LANG-SEC-062: Insecure urllib Request Object Usage - Severity: MEDIUM | CWE: CWE-319 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-062 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-062 --project . urllib.request.Request() and OpenerDirector used with HTTP URLs transmit data in plaintext. Verify HTTPS URLs are used. **Vulnerable Code:** ``` import requests as http_requests import urllib.request import ftplib import telnetlib # SEC-062: urllib Request req = urllib.request.Request("http://example.com") ``` --- ### PYTHON-LANG-SEC-063: FTP Without TLS (ftplib.FTP) - Severity: MEDIUM | CWE: CWE-319 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-063 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-063 --project . ftplib.FTP() transmits data and credentials in plaintext. Use ftplib.FTP_TLS() or SFTP (via paramiko) for secure file transfer. **Vulnerable Code:** ``` import requests as http_requests import urllib.request import ftplib import telnetlib # SEC-063: FTP without TLS ftp = ftplib.FTP("ftp.example.com") ``` --- ### PYTHON-LANG-SEC-064: telnetlib Usage Detected - Severity: HIGH | CWE: CWE-319 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-064 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-064 --project . telnetlib.Telnet() transmits all data including credentials in plaintext. Replace with SSH (paramiko) for remote command execution. **Vulnerable Code:** ``` import requests as http_requests import urllib.request import ftplib import telnetlib # SEC-064: telnetlib tn = telnetlib.Telnet("example.com", 23) ``` --- ### PYTHON-LANG-SEC-070: Socket Bound to All Interfaces (0.0.0.0) - Severity: MEDIUM | CWE: CWE-668 | OWASP: A05:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-070 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-070 --project . Binding a socket to 0.0.0.0 exposes the service on all network interfaces, including public-facing ones. Bind to specific interfaces in production. **Vulnerable Code:** ``` import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", 8080)) ``` --- ### PYTHON-LANG-SEC-071: Paramiko Implicit Host Key Trust (AutoAddPolicy) - Severity: HIGH | CWE: CWE-322 | OWASP: A02:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-071 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-071 --project . paramiko.AutoAddPolicy() and WarningPolicy() automatically accept unknown SSH host keys, enabling man-in-the-middle attacks on SSH connections. **Vulnerable Code:** ``` import socket import paramiko import multiprocessing.connection client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ``` --- ### PYTHON-LANG-SEC-072: Paramiko exec_command() Usage - Severity: MEDIUM | CWE: CWE-78 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-072 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-072 --project . paramiko exec_command() runs commands on a remote host. Audit that command arguments are not derived from untrusted input to prevent command injection. **Vulnerable Code:** ``` import socket import paramiko import multiprocessing.connection # SEC-072: paramiko exec_command stdin, stdout, stderr = client.exec_command("ls -la") ``` --- ### PYTHON-LANG-SEC-073: multiprocessing Connection.recv() Usage - Severity: MEDIUM | CWE: CWE-502 | OWASP: A08:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-073 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-073 --project . multiprocessing.Connection.recv() uses pickle internally and is not safe for receiving data from untrusted connections. **Vulnerable Code:** ``` from multiprocessing.connection import Client conn = Client(('localhost', 6000)) data = conn.recv() ``` --- ### PYTHON-LANG-SEC-080: psycopg2 SQL Injection via String Formatting - Severity: CRITICAL | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-080 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-080 --project . SQL query built with string formatting passed to psycopg2 cursor.execute() enables SQL injection. Use parameterized queries with %s placeholders. **Vulnerable Code:** ``` import sqlite3 # SEC-080: psycopg2 import psycopg2 pg_conn = psycopg2.connect("dbname=test") pg_cursor = pg_conn.cursor() name = "user_input" pg_cursor.execute("SELECT * FROM users WHERE name = '" + name + "'") ``` --- ### PYTHON-LANG-SEC-084: Formatted SQL Query Passed to cursor.execute() - Severity: HIGH | CWE: CWE-89 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-084 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-084 --project . SQL query built with string formatting detected. String-formatted SQL strings are a common SQL injection vector. Use parameterized queries. **Vulnerable Code:** ``` import sqlite3 # SEC-084: formatted SQL (general) conn2 = sqlite3.connect("test.db") cursor = conn2.cursor() cursor.execute("SELECT * FROM products WHERE id = " + product_id) ``` --- ### PYTHON-LANG-SEC-090: Insecure XML Parsing (XXE Vulnerability) - Severity: MEDIUM | CWE: CWE-611 | OWASP: A05:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-090 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-090 --project . xml.etree.ElementTree is vulnerable to XML External Entity (XXE) attacks. Use defusedxml for safe XML parsing. **Vulnerable Code:** ``` import xml.etree.ElementTree as ET import xml.dom.minidom import xml.sax import xmlrpc.client import csv # SEC-090: insecure XML parsing tree = ET.parse("data.xml") root = ET.fromstring("") ``` --- ### PYTHON-LANG-SEC-091: Insecure xml.dom.minidom Usage (XXE) - Severity: MEDIUM | CWE: CWE-611 | OWASP: A05:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-091 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-091 --project . xml.dom.minidom is vulnerable to XML External Entity (XXE) attacks. Use defusedxml.minidom for safe XML parsing. **Vulnerable Code:** ``` import xml.etree.ElementTree as ET import xml.dom.minidom import xml.sax import xmlrpc.client import csv # SEC-091: minidom doc = xml.dom.minidom.parse("data.xml") doc2 = xml.dom.minidom.parseString("") ``` --- ### PYTHON-LANG-SEC-092: Insecure xmlrpc Usage (XXE Risk) - Severity: MEDIUM | CWE: CWE-611 | OWASP: A05:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-092 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-092 --project . xmlrpc.client.ServerProxy and xmlrpc.server modules are vulnerable to XXE attacks via malicious XML-RPC payloads. Use defusedxml.xmlrpc for protection. **Vulnerable Code:** ``` import xml.etree.ElementTree as ET import xml.dom.minidom import xml.sax import xmlrpc.client import csv # SEC-092: xmlrpc proxy = xmlrpc.client.ServerProxy("http://example.com/rpc") ``` --- ### PYTHON-LANG-SEC-093: Mako Template Usage Detected - Severity: MEDIUM | CWE: CWE-94 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-093 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-093 --project . Mako templates execute Python expressions without sandboxing. Ensure templates are from trusted sources and user input is not rendered as template code. **Vulnerable Code:** ``` import xml.etree.ElementTree as ET import xml.dom.minidom import xml.sax import xmlrpc.client import csv # SEC-093: mako from mako.template import Template tmpl = Template("Hello ${name}") ``` --- ### PYTHON-LANG-SEC-094: csv.writer Audit (Formula Injection Risk) - Severity: LOW | CWE: CWE-1236 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-094 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-094 --project . csv.writer() detected. Audit CSV output for formula injection (CSV injection) if data is exported to spreadsheet applications. **Vulnerable Code:** ``` import xml.etree.ElementTree as ET import xml.dom.minidom import xml.sax import xmlrpc.client import csv # SEC-094: csv.writer import io writer = csv.writer(io.StringIO()) dict_writer = csv.DictWriter(io.StringIO(), fieldnames=["a", "b"]) ``` --- ### PYTHON-LANG-SEC-100: UUID Version 1 Leaks MAC Address - Severity: LOW | CWE: CWE-200 | OWASP: A05:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-100 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-100 --project . uuid.uuid1() embeds the host MAC address in the generated UUID, leaking hardware identity information. **Vulnerable Code:** ``` import uuid import os import re import logging import logging.config # SEC-100: uuid1 (leaks MAC) uid = uuid.uuid1() ``` --- ### PYTHON-LANG-SEC-101: Insecure File Permissions via os.chmod - Severity: MEDIUM | CWE: CWE-732 | OWASP: A05:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-101 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-101 --project . os.chmod() or os.fchmod() sets overly permissive file permissions that allow unauthorized read, write, or execute access. **Vulnerable Code:** ``` import uuid import os import re import logging import logging.config # SEC-101: insecure file permissions os.chmod("/tmp/data", 0o777) os.fchmod(3, 0o666) ``` --- ### PYTHON-LANG-SEC-102: Hardcoded Password in Default Function Argument - Severity: HIGH | CWE: CWE-259 | OWASP: A07:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-102 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-102 --project . A function defines a default argument whose name suggests a password or secret but whose value is a hardcoded string literal. **Vulnerable Code:** ``` import uuid import os import re import logging import logging.config # SEC-102: hardcoded password import mysql.connector conn = mysql.connector.connect(host="db", password="secret123") ``` --- ### PYTHON-LANG-SEC-103: Regex DoS Risk - Severity: LOW | CWE: CWE-1333 | OWASP: A06:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-103 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-103 --project . Detects re.compile(), re.match(), re.search(), and re.findall() calls that should be audited for catastrophic backtracking patterns. **Vulnerable Code:** ``` import uuid import os import re import logging import logging.config # SEC-103: regex DoS pattern = re.compile(r"(a+)+$") re.match(r"(a|b)*c", user_input) re.search(r"(\d+\.)+", text) ``` --- ### PYTHON-LANG-SEC-104: logging.config.listen() Eval Risk - Severity: HIGH | CWE: CWE-95 | OWASP: A03:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-104 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-104 --project . Detects logging.config.listen() which opens a socket that accepts and executes arbitrary logging configuration, enabling remote code execution. **Vulnerable Code:** ``` import uuid import os import re import logging import logging.config # SEC-104: logging.config.listen server = logging.config.listen(9999) ``` --- ### PYTHON-LANG-SEC-105: Logger Credential Leak Risk - Severity: MEDIUM | CWE: CWE-532 | OWASP: A09:2021 - Language: python | Category: lang - URL: https://codepathfinder.dev/registry/python/lang/PYTHON-LANG-SEC-105 - Detection: pathfinder scan --ruleset python/PYTHON-LANG-SEC-105 --project . Detects logging calls (info, debug, warning, error, critical) that should be audited for accidental credential or secret leakage in log output. **Vulnerable Code:** ``` import uuid import os import re import logging import logging.config # SEC-105: logger credential leak logging.info("User logged in with password: %s", password) logging.debug("API key: %s", api_key) ``` --- ### PYTHON-PYRAMID-SEC-001: Pyramid CSRF Check Disabled Globally - Severity: HIGH | CWE: CWE-352 | OWASP: A05:2021 - Language: python | Category: pyramid - URL: https://codepathfinder.dev/registry/python/pyramid/PYTHON-PYRAMID-SEC-001 - Detection: pathfinder scan --ruleset python/PYTHON-PYRAMID-SEC-001 --project . Detects calls to set_default_csrf_options() which can globally disable CSRF protection in Pyramid applications. **Vulnerable Code:** ``` from pyramid.config import Configurator from pyramid.response import Response # SEC-001: CSRF disabled config = Configurator() config.set_default_csrf_options(require_csrf=False) ``` --- ### PYTHON-PYRAMID-SEC-002: Pyramid Direct Response XSS - Severity: HIGH | CWE: CWE-79 | OWASP: A03:2021 - Language: python | Category: pyramid - URL: https://codepathfinder.dev/registry/python/pyramid/PYTHON-PYRAMID-SEC-002 - Detection: pathfinder scan --ruleset python/PYTHON-PYRAMID-SEC-002 --project . Traces user input from Pyramid request objects to Response() constructors, enabling reflected cross-site scripting. **Vulnerable Code:** ``` from pyramid.config import Configurator from pyramid.response import Response # SEC-002: Direct response XSS def vulnerable_view(request): name = request.params.get('name') return Response(f"Hello {name}") ``` --- ## Blog Posts - **Code Pathfinder now speaks Go** (2026-04-18) Code Pathfinder v2.1.0 adds Go support: 21 security rules, cross-file taint analysis, and type-aware detection across Gin, Echo, Fiber, GORM, sqlx, gRPC, and the standard library. URL: https://codepathfinder.dev/blog/announcing-golang-support-code-pathfinder - **Same Bug, Different Endpoint: Finding Path Traversal in Langflow with Code Pathfinder** (2026-04-15) How Code Pathfinder's variant analysis detected an unpatched path traversal in Langflow's Knowledge Bases API, the same bug class as CVE-2026-33497. URL: https://codepathfinder.dev/blog/langflow-knowledge-bases-path-traversal-variant-analysis - **CVE-2026-33186: Bypassing gRPC-Go Authorization with a Missing Slash** (2026-04-01) CVE-2026-33186 - A path normalization flaw in grpc-go v1.79.2 and earlier allows attackers to bypass path-based authorization interceptors by omitting the leading slash in the HTTP/2 :path pseudo-header. Both custom interceptors and the official grpc/authz policy engine are affected. URL: https://codepathfinder.dev/blog/cve-2026-33186-grpc-go-authorization-bypass-malformed-path-header - **Cross-File Dataflow Analysis: Taint Tracking Across Your Entire Project** (2026-03-17) Code Pathfinder v2.0 ships inter-procedural taint analysis that traces vulnerable data flows across files, functions, and module boundaries. Here's how it works and how to write your first flow analysis rule. URL: https://codepathfinder.dev/blog/cross-file-dataflow-analysis-taint-tracking-across-your-entire-project - **Automated GitHub PR Security Comments & Inline SAST Findings with Code Pathfinder** (2026-02-21) Code Pathfinder's GitHub Action now posts security scan results as PR summary comments and inline review annotations. Browse 100+ open-source SAST rules at codepathfinder.dev/registry. URL: https://codepathfinder.dev/blog/github-summary-pull-request-comments-integration - **Stop Grepping, Start Querying: MCP Server for Code-Pathfinder** (2026-01-11) Connect Code-Pathfinder's indexed code analysis directly to Claude Code, Codex, and MCP-enabled AI agents. Query call graphs, resolve imports, and find vulnerabilities instantly without grep or file reads. Open-source MCP server for Python codebases. URL: https://codepathfinder.dev/blog/mcp-server-code-pathfinder - **One API Key to Rule Them All: SecureFlow Adds OpenRouter Support** (2025-12-27) Stop juggling API keys. SecureFlow now integrates with OpenRouter for access to 200+ AI models, plus a major UI refresh with Svelte URL: https://codepathfinder.dev/blog/secureflow-openrouter-integration - **Docker Security Rules: Detect 47 Container Vulnerabilities & Misconfigurations [2025]** (2025-12-10) Discover 47 Docker security rules to catch critical vulnerabilities. Prevent privilege escalation, socket exposure & misconfigurations with automated SAST scanning. URL: https://codepathfinder.dev/blog/announcing-docker-compose-security-rules - **Introducing SecureFlow CLI to Hunt Vulnerabilities** (2025-10-01) AI-powered security scanning tool using agentic loops to hunt vulnerabilities - discovered 300+ issues in WordPress plugins with 12+ AI model support and DefectDojo integration. URL: https://codepathfinder.dev/blog/introducing-secureflow-cli-to-hunt-vuln - **Introducing SecureFlow Extension to Vibe Code Securely** (2025-07-29) Discover SecureFlow, a VS Code extension that helps developers write secure code by providing real-time security analysis, vulnerability detection, and guided remediation - all within your editor URL: https://codepathfinder.dev/blog/introducing-secureflow-extension-to-vibe-code-securely - **Silence the Noise: A Practical Guide to Systematically Reducing SAST False Positives** (2025-04-19) Drowning in SAST false positives? This guide provides a step-by-step strategy to reduce noise and make security findings actionable. URL: https://codepathfinder.dev/blog/silence-the-noise-a-practical-guide-to-systematically-reducing-sast-false-positives - **Static Analysis Isn't Enough: Understanding Library Interactions for Effective Data Flow Tracking** (2025-04-17) Static analysis tools go blind without understanding library calls – learn why modeling them is critical for finding real security flaws. URL: https://codepathfinder.dev/blog/static-analysis-isnt-enough-understanding-library-interactions-for-effective-data-flow-tracking - **Detecting WebView Misconfigurations in Android With Code-PathFinder** (2024-10-20) A short blog post about finding WebView misconfigurations in Android with Code-PathFinder URL: https://codepathfinder.dev/blog/finding-webview-misconfigurations-android - **Code PathFinder - Open Source CodeQL Alternative** (2024-10-01) A short blog post about Code PathFinder, a CodeQL OSS alternative URL: https://codepathfinder.dev/blog/codeql-oss-alternative