MCP Scorecard

ServersPublishersPlatformsBlogAPI
Mission StatementGitHub
← All posts
Spotlight  March 1, 2026

Code Pathfinder: Security Scanning Through Code Graphs, Not Grep

An AI-native SAST tool that builds AST, control flow, and data flow graphs — then lets AI agents query them via MCP. Claims 98% fewer false positives than pattern-matching scanners. 110 stars.
MCP Scorecard Research
dev.codepathfinder

Most code analysis MCP servers read files. dev.codepathfinder/pathfinder reads structure.

What It Does

Code Pathfinder is an open-source static application security testing (SAST) tool that indexes your codebase into queryable graphs — Abstract Syntax Trees, Control Flow Graphs, and Data Flow Graphs. Instead of scanning for regex patterns (the approach that produces mountains of false positives), it traces actual execution paths from source to sink.

The MCP server exposes these graphs as tools. An AI agent can query: "show me all paths from user input to SQL execution" or "trace this variable from the HTTP request handler to the database layer" — and get structural answers, not text matches. This is semantic code understanding, not string search.

The False Positive Claim

Code Pathfinder claims 98% fewer false positives than traditional pattern-matching scanners. The mechanism: after the graph analysis identifies potential vulnerabilities, an LLM triage step evaluates each finding in context — understanding whether the flagged code path is actually reachable, whether inputs are sanitized upstream, whether the pattern is a real vulnerability or a benign match. The tool supports Claude, GPT, Gemini, and Ollama for this triage step.

The Stack

Multiple interfaces: VS Code extension, CLI, and MCP server. Supports Python, Java, JavaScript, and Docker/Docker Compose analysis. Go support is coming. SARIF export for GitHub Advanced Security integration and DefectDojo compatibility. Median scan time: 10 seconds. Available via Homebrew, pip, and Docker.

What to Know

Built by shivasurya. 110 stars. AGPL-3.0 license — this is copyleft, meaning any modifications must also be open-sourced. The product website at codepathfinder.dev positions it as a developer tool with a security focus, not a pure security product.

The graph-based approach is genuinely different from what most code-analysis MCP servers offer. File reading gives AI agents text. Code Pathfinder gives them topology — the difference between seeing a map and seeing the terrain.

Score: 76. No flags. AGPL-3.0.

Sources: shivasurya — GitHub · Code Pathfinder — repo · codepathfinder.dev · Scorecard: dev.codepathfinder (score 76)

← A Linter for Ideas: Does Your Project Already Exist?Four Guardrails for Autonomous Agents: Context, Norms, Think, Undo →
Article Type
Pulse5Spotlight26Trend5
Archive
March 202618February 202618
Publishers Mentioned
io.github.kubeshark2tools.edgar2io.github.pyth-network2io.github.qso-graph2io.github.mansurjisan2io.github.vitas2io.github.meltingpixelsai2io.github.D4Vinci2io.github.Codeturion2io.github.martc032io.github.jellewas2dev.codepathfinder2
~ ~ ~
mcp-scorecard.ai  ·  2026