Release v1.1.1

🐳 Code Pathfinder v1.1.1 - Container Security Edition

We're excited to announce Code Pathfinder v1.1.1, a massive release that introduces comprehensive
Docker and container security analysis capabilities! This release adds 47 security rules, a powerful
Python DSL for writing custom rules, and native Dockerfile/docker-compose parsing.

🚀 Major Features

Complete Docker Security Analysis

Code Pathfinder now supports deep security analysis of containerized applications with:

• Native Dockerfile Parsing - Full tree-sitter based parsing of all 18 Dockerfile instructions
• Docker Compose Support - Parse and analyze docker-compose.yml files with security-focused
  queries
• 47 Built-in Security Rules - Comprehensive coverage of OWASP Docker Security, CIS Docker
  Benchmark, and industry best practices

Python DSL for Container Rules

Write expressive security rules using our new Python DSL:

@rule(
    id="DOCKER-SEC-001",
    severity="high",
    message="Running container as root"
)
def check_root_user(dockerfile):
    return dockerfile.user == "root"

Features include:

• Fluent API for querying Dockerfile instructions
• Built-in helpers for common security patterns
• Support for complex multi-instruction analysis
• Easy integration with CI/CD pipelines

Security Rule Categories

The 47 rules cover critical security areas:

• Privilege Escalation - Detect containers running as root, excessive capabilities
• Secret Management - Find hardcoded credentials, API keys in images
• Network Security - Identify exposed ports, insecure protocols
• Supply Chain - Check for unverified base images, outdated dependencies
• Best Practices - Health checks, multi-stage builds, layer optimization

🎯 Use Cases

DevSecOps Teams: Integrate container security scanning into your CI/CD pipelines
Security Auditors: Quickly identify security misconfigurations across hundreds of Dockerfiles
Platform Engineers: Enforce organizational security policies for containerized workloads
Developers: Get immediate feedback on container security issues during development

📊 By The Numbers

• 🔒 47 security rules covering Docker & docker-compose
• 📝 18 Dockerfile instructions fully supported
• 🐍 Python DSL for custom rule authoring
• 🎯 3 severity levels (high, medium, low) for risk prioritization

🔧 Getting Started

Scan Your Dockerfiles

Install

npm install -g codepathfinder

Scan a project

pathfinder scan --project ./my-app ----rules /path/to/rules

Check rules here https://github.com/shivasurya/code-pathfinder/tree/main/rules

Release v1.1.0

What's Changed

• chore(python-dsl): Release v1.1.0 by @shivasurya in #405
• chore: Remove nsjail testing scripts from root directory by @shivasurya in #406
• feat: Add Cloudflare R2 stdlib registry upload + bump to v1.0.0 by @shivasurya in #407
• fix: Remove AWS credentials action, install AWS CLI directly for R2 by @shivasurya in #408
• fix: Allow msilib and nis modules to fail gracefully by @shivasurya in #409
• chore: Remove outdated docs/ and pathfinder-rules/ directories by @shivasurya in #410
• chore: Move R2_SETUP.md and SANDBOX.md to knowledge base by @shivasurya in #411
• chore: Remove GitHub Container Registry build to save CI time by @shivasurya in #412
• refactor: Migrate test fixtures to sourcecode-parser/test-fixtures by @shivasurya in #413
• refactor: Rename sourcecode-parser to sast-engine (v1.1.0) by @shivasurya in #414

Full Changelog: v0.0.34...v1.1.0

Release v0.0.34

What's Changed

• chore: fix package-lock.json file by @shivasurya in #321
• cpf/enhancement: Add core data structures for call graph by @shivasurya in #322
• cp/enhancement: Implement module registry - Pass 1 of 3-pass algorithm by @shivasurya in #323
• cpf/enhancement: Implement import extraction with tree-sitter by @shivasurya in #324
• cpf/enhancement: Implement relative import resolution by @shivasurya in #325
• cpf/enhancement: Implement call site extraction from AST by @shivasurya in #326
• cpf/enhancement: Implement call graph builder - Pass 3 by @shivasurya in #327
• cpf/enhancement: Create CFG data structures for control flow analysis by @shivasurya in #328
• cpf/enhancement: Add pattern registry with hardcoded code injection example by @shivasurya in #329
• cpf/enhancement: Add Callgraph Integration into parsing pipeline by @shivasurya in #330
• cpf/enhancement: Django ORM Pattern Resolution by @shivasurya in #333
• feat(callgraph): Python Type Inference for Improved Call Resolution by @shivasurya in #334
• feat(callgraph): Phase 2 - Complete Type Inference with Inter-Procedural Propagation by @shivasurya in #335
• feat(callgraph): Task 12 - Self Attribute Tracking & Method Chaining by @shivasurya in #336
• feat(stdlib): Add generic Python 3.14 stdlib registry generator by @shivasurya in #337
• feat(callgraph): Add local stdlib registry loader with resolution by @shivasurya in #338
• fix(callgraph): Add fallback stdlib check for direct module imports by @shivasurya in #339
• feat(callgraph): Add remote stdlib registry with lazy loading by @shivasurya in #340
• fix(tools): Allow platform-specific module failures in registry generation by @shivasurya in #341
• feat(observability): Add stdlib registry metrics and regression tests by @shivasurya in #342
• feat(dataflow): Add core data structures for intra-procedural taint analysis by @shivasurya in #343
• feat(callgraph): Add Python statement extraction for intra-procedural dataflow by @shivasurya in #344
• feat(callgraph): Add def-use chain construction (PR #3) by @shivasurya in #345
• feat(taint): Implement intra-procedural taint propagation by @shivasurya in #346
• feat(callgraph): Integrate taint analysis into call graph builder by @shivasurya in #347
• Fix intra-procedural vulnerability detection by @shivasurya in #348
• feat(diagnostic): Add function extraction for diagnostic system by @shivasurya in #349
• feat(diagnostic): Add LLM integration for pattern discovery by @shivasurya in #350
• feat(diagnostic): Add tool comparison with normalization by @shivasurya in #351
• fix(ci): Install codepathfinder 1.0.0 for Python DSL tests by @shivasurya in #362
• feat(go): Remove ANTLR/expr-lang query system by @shivasurya in #352
• feat(python): Add core matchers (calls, variable) by @shivasurya in #353
• feat(python): Add dataflow analysis with Phase 1 propagation by @shivasurya in #354
• feat(python): Add Phase 2 propagation and presets by @shivasurya in #355
• feat(python): Add logic operators (And, Or, Not) by @shivasurya in #356
• feat(go): Add call_matcher executor by @shivasurya in #357
• feat(go): Add variable_matcher executor by @shivasurya in #358
• feat(go): Add dataflow integration for taint analysis by @shivasurya in #359
• feat(go): Add DSL rule loader and OWASP Top 10 examples by @shivasurya in #360
• feat(cli): Implement scan, query, and ci commands with Python DSL integration by @shivasurya in #361
• build(deps): bump astro from 5.14.4 to 5.15.6 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #366
• feat(models): Add GPT-5.1 model support by @shivasurya in #367
• build(deps): bump the npm_and_yarn group across 2 directories with 1 update by @dependabot[bot] in #368
• chore: Release version 0.0.16 by @shivasurya in #369
• fix: TypeScript type annotations in generated model config by @shivasurya in #370
• chore: Release version 0.0.17 by @shivasurya in #371
• refactor: create core package with foundation types by @shivasurya in #372
• refactor: create registry, cfg, and resolution packages by @shivasurya in #373
• refactor(callgraph): Create analysis/taint, extraction packages and complete registry by @shivasurya in #374
• refactor(callgraph): Create resolution package and complete extraction package (PR #4) by @shivasurya in #375
• refactor(callgraph): Move advanced resolution to resolution package (PR #5) by @shivasurya in #376
• refactor: Create patterns package for pattern detection (PR #6) by @shivasurya in #377
• refactor: Extract builder logic to builder/ package (#7) by @shivasurya in #378
• refactor: Remove all type aliases and wrapper functions from callgraph package by @shivasurya in #379
• feat(docs): Enhance blog post typography and reading experience by @shivasurya in #380
• feat(blog): Add MyClone chat widget to blog posts by @shivasurya in #381
• build(deps): bump glob from 10.4.5 to 10.5.0 in /extension/secureflow in the npm_and_yarn group across 1 directory by @dependabot[bot] in #382
• build(deps): bump astro from 5.15.6 to 5.15.9 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #383
• PR #1: DSL IR Extension & Keyword Argument Parsing by @shivasurya in #384
• PR #2: Implement Keyword Argument Matching Logic by @shivasurya in #385
• PR #3: Add Python DSL API for Argument Matching by @shivasurya in #386
• PR #4: Add Positional Argument Matching Support by @shivasurya in #387
• PR #5: Add Advanced Argument Matching Features by @shivasurya in #388
• PR #6: Add Tuple Indexing for Nested Argument Matching by @shivasurya in #389
• PR #7: Fix Critical Bugs in Argument Matching by @shivasurya in #390
• PR #1: Data Structures & Enrichment Layer by @shivasurya in #391
• PR #2: Structured Logging System by @shivasurya in #392
• PR #3: Text Formatter for Scan Command by @shivasurya in #393
• PR #4: Add JSON and CSV Output Formatters for CI Mode by @shivasurya in #394
• PR #5: Enhanced SARIF Formatter with Code Flows by @shivasurya in #395
• PR #6: Exit Code Standardization & --fail-on Flag by @shivasurya in #396
• PR #7: Command Cleanup & Documentation by @shivasurya in #397
• enhancement(docs): Improve landing page experience by @shivasurya in #398
• enhancement(docker): Add Python runtime with nsjail sandboxing by @shi...

Release v0.0.33

🚀 Recent Highlights — CodePathfinder

We’ve landed three notable updates to boost developer experience and performance:

• Performance Monitoring & Memory Improvements: PR #316
  Sharper performance monitoring tools plus reduced memory usage.

• Golang Version Upgrade: PR #311
  Migration to the latest Go for improved reliability and compatibility.

• Python 3 Language Support: PR #314
  You can now scan and analyze Python 3 code, broadening language coverage for source code analysis.

🌟 Introducing SecureFlow — Next-Gen AI Security Scanning

Take your code security audit to the next level with our new solutions:

• SecureFlow Extension: Code securely inside VSCode with AI-driven insights. Read more

• SecureFlow CLI: Hunt vulnerabilities in your projects with CLI-powered AI analysis. Details in blog

We’re taking baby steps toward making AI-native security scanning the foundation for future software. Stay tuned—more is coming!

Full Changelog: v0.0.32...v0.0.33

Release v0.0.32

What's Changed

• feature: 🍺 Support for AssertStmt Node statement by @shivasurya in #179
• feature: Support for ReturnStmt statement by @shivasurya in #180
• fix docker command by @opstoken in #182
• feature: 🍺 Support for BlockStmt statement by @shivasurya in #181
• doc: refresh documentation for latest statement support by @shivasurya in #183
• chore: update seo title by @shivasurya in #184
• doc: Update the documentation to include BreakStmt, LabeledStmt, YieldStmt and etc by @shivasurya in #185
• chore: fix title tag issue by @shivasurya in #186
• Bump nanoid from 3.3.7 to 3.3.8 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #188
• Bump astro from 4.16.3 to 4.16.18 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #189
• chore(upgrade): Bump golang dependencies and version by @shivasurya in #192
• Bump vite from 5.4.11 to 5.4.14 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #193
• feature: 🍺 Class with inheritance support by @shivasurya in #187
• blog: add closure table blog post 📰 by @shivasurya in #196
• chore: Update Website Navigation and Messaging by @shivasurya in #197
• build(deps): bump the npm_and_yarn group across 1 directory with 3 updates by @dependabot in #198
• feat: New Pathfinder Rules page (atlas) for docs by @shivasurya in #200
• chore: updated package-lock.json by @shivasurya in #201
• chore: added rollup optional dep by @shivasurya in #202
• chore: fix link in footer by @shivasurya in #203
• build(deps): bump prismjs from 1.29.0 to 1.30.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #204
• feature: Code-Pathfinder online hosted sandbox playground by @shivasurya in #205
• build(deps): bump @babel/runtime from 7.26.9 to 7.26.10 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #206
• build(deps): bump the go_modules group across 2 directories with 1 update by @dependabot in #208
• release: bump version to 0.0.32 by @shivasurya in #209

New Contributors

• @opstoken made their first contribution in #182 🎉

Full Changelog: v0.0.31...v0.0.32

Release v0.0.31

What's new?

This release has query support for BreakStmt, ContinueStmt, YieldStmt, IfStmt, DoStmt, WhileStmt, ForStmt statements in source code (java) ☕ 🎉

Read latest blog post about detecting Webview vulnerabilities using Code-Pathfinder

• feature: IfStmt, DoStmt, WhileStmt, ForStmt and Generic Statement support by @shivasurya in #173
• feature: 🍺 Support for BreakStmt by @shivasurya in #174
• feature: 🍺 Support for Continue statement by @shivasurya in #175
• feature: 🍺 Support for YieldStmt statement by @shivasurya in #176

What's Changed

• doc: added ci/cd integ pages and docker updates by @shivasurya in #167
• added blog post for targeting android framework by @shivasurya in #169
• fix query name issue in blog post 🐛 by @shivasurya in #170
• chore: improve doc site by @shivasurya in #171
• chore: added pr template by @shivasurya in #172
• release: bump version to v0.0.31 by @shivasurya in #177

Full Changelog: v0.0.30...v0.0.31

Release v0.0.30

What's Changed

• chore(release): fix npm publish by @shivasurya in #162
• feature: Add SARIF file generation from result by @shivasurya in #163
• 🐛 Fix command issue in GitHub action and support sarif file format by @shivasurya in #164
• release: bump to v0.0.30 by @shivasurya in #165

Full Changelog: v0.0.29...v0.0.30

Release v0.0.29

This release has exciting new features such as CI command to scan source code for vulnerabilities within CI/CD ♾️ pipeline, docker support, GitHub Action support. 🎉

What's New?

1. Code-Pathfinder is now available in docker hub. Give it a try by pulling shivasurya/code-pathfinder:stable-latest 🐳
2. GitHub Action is now supported and you can start scanning source code. 🎉

# add as step to github action yaml file
    - name: Code-Pathfinder SAST Scan
            uses: shivasurya/code-pathfinder@main
            with:
              command: 'ci'
              project: '.'
              output-file: 'output.json'
              output: 'json'
              ruleset: 'cpf/java'

3. Code-Pathfinder now supports CI command to scan for vulnerabilities in source code. ♾️

$ pathfinder ci --project /src/code-pathfinder/test-src --ruleset cpf/java --output json --output-file output.json
...
Executing in CI mode ♾️ 

Checkout Code-pathfinder rules registry here

What's Changed

• Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot in #151
• feature: Implement CI based pathfinder scan - part 1 by @shivasurya in #153
• feature: Implement CI scan using pathfinder rules by @shivasurya in #155
• Bump astro from 4.15.12 to 4.16.3 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #157
• ✨ Add GitHub Action template with action.yml by @shivasurya in #156
• fixed docker 🐳 tag mistake by @shivasurya in #158
• release: Bump/v0.0.29 by @shivasurya in #159

Full Changelog: v0.0.28...v0.0.29

Release v0.0.28

This release adds exciting new features such as support for querying ClassInstanceExpr where you could search for objects created with class. We have featured new blog post about codepathfinder. I have published various code pathfinder rules targeting generic java application

Code-Pathfinder Rules

• Usage of RC2/RC4 cipher
• Usage of deprecated DefaultHTTPClient
• Usage of SHA1 hash functions
• Usage of insecure Random functions for cryptographic purposes
• Usage of Blowfish crypt methods
• <More to come in next releases covering OWASP Top 10>

What's New?

• feature: Support for ClassInstanceExpr by @shivasurya in #142
• pathfinder rules: added unencrypted socket connection detection rule by @shivasurya in #143
• Blog #1 by @shivasurya in #144
• fixed unique id issue for generating unique id by @shivasurya in #146
• More pathfinder rules 🎸 by @shivasurya in #145

Chore

• Bump rollup from 4.21.3 to 4.22.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #140
• Improve blog post by @shivasurya in #147
• chore: improved blog post and seo by @shivasurya in #148
• chore: added blog listing by @shivasurya in #149
• release: Bump version to 0.0.28 by @shivasurya in #150

Full Changelog: v0.0.27...v0.0.28