qenex-pathfinder
Provides security scanning tools for Claude Code, enabling real-time vulnerability detection, code analysis, and rule explanations for codebases.
README
qenex-pathfinder
A standalone Python security audit tool that scans codebases for vulnerabilities, misconfigurations, and dangerous patterns. Works as a CLI tool, a CI check, and an MCP server for Claude Code integration.
Features
- 60+ security checks across 12 categories (credentials, SQL injection, command injection, XXE, CORS, network, crypto, systemd, permissions, async/sync, dependencies, Docker)
- AST-based analysis for Python files -- avoids false positives from comments and docstrings
- Regex-based rules for config files, systemd units, Dockerfiles, and YAML
- Three output formats: colored text, JSON, SARIF 2.1.0 (GitHub Code Scanning / VS Code compatible)
- MCP server for real-time scanning from Claude Code
- Configurable via
.pathfinder.yml - Zero mandatory dependencies beyond PyYAML (MCP is optional)
Installation
# From source
cd qenex-pathfinder
pip install .
# With MCP support
pip install .[mcp]
# Development
pip install .[dev]
CLI Usage
# Scan current directory
pathfinder .
# Scan a specific file
pathfinder /path/to/app.py
# Filter by severity
pathfinder . --severity high
# JSON output
pathfinder . --format json
# SARIF output (for CI)
pathfinder . --format sarif > results.sarif
# Run specific rules only
pathfinder . --rules PF-CRED-001,PF-SQLI-001
# Exclude paths
pathfinder . --exclude vendor/,test_data/
# Use custom config
pathfinder . --config /path/to/.pathfinder.yml
# Run as module
python -m pathfinder .
Exit Codes
| Code | Meaning |
|---|---|
| 0 | No findings at or above the requested severity |
| 1 | One or more findings found |
MCP Server (Claude Code Integration)
Start the MCP server for interactive scanning from Claude Code:
pathfinder --mcp
Or add to your Claude Code MCP configuration:
{
"mcpServers": {
"pathfinder": {
"command": "pathfinder",
"args": ["--mcp"]
}
}
}
MCP Tools
| Tool | Description |
|---|---|
scan_path |
Scan a file or directory |
scan_file_content |
Scan source code text directly |
list_rules |
List all available security rules |
explain_finding |
Get details about a specific rule ID |
Rule Reference
Credentials (PF-CRED-001 to PF-CRED-006, CWE-798)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-CRED-001 | Private Key in Config | CRITICAL | Regex |
| PF-CRED-002 | API Key in Source | HIGH | Regex |
| PF-CRED-003 | Password Default Fallback | HIGH | AST |
| PF-CRED-004 | Hardcoded JWT/Bearer | HIGH | Regex |
| PF-CRED-005 | Cloud Provider Creds | CRITICAL | Regex |
| PF-CRED-006 | SSH Private Key Content | CRITICAL | Regex |
SQL Injection (PF-SQLI-001 to PF-SQLI-004, CWE-89)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-SQLI-001 | f-string in SQL Execute | CRITICAL | AST |
| PF-SQLI-002 | .format() in SQL Execute | CRITICAL | AST |
| PF-SQLI-003 | String Concatenation in SQL | HIGH | AST |
| PF-SQLI-004 | Subprocess sqlite3 Interpolation | HIGH | AST |
Command Injection (PF-CMDI-001 to PF-CMDI-005, CWE-78)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-CMDI-001 | shell=True with Variable | CRITICAL | AST |
| PF-CMDI-002 | os.system() Call | HIGH | AST |
| PF-CMDI-003 | os.popen() Call | HIGH | AST |
| PF-CMDI-004 | eval() with User Input | HIGH | AST |
| PF-CMDI-005 | exec() with User Input | HIGH | AST |
XXE and Deserialization (PF-XXE-001 to PF-XXE-005, CWE-611/502)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-XXE-001 | Unsafe xml.etree | MEDIUM | AST |
| PF-XXE-002 | Unsafe xml.sax | MEDIUM | AST |
| PF-XXE-003 | Unsafe lxml Parser | MEDIUM | AST |
| PF-XXE-004 | Unsafe pickle | HIGH | AST |
| PF-XXE-005 | Unsafe yaml.load() | HIGH | AST |
CORS (PF-CORS-001 to PF-CORS-003, CWE-942)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-CORS-001 | CORS Allow All Origins | MEDIUM | AST |
| PF-CORS-002 | CORS Header Wildcard | MEDIUM | Regex |
| PF-CORS-003 | CORS Credentials Wildcard | HIGH | AST |
Network (PF-NET-001 to PF-NET-004, CWE-668)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-NET-001 | Binding to 0.0.0.0 | MEDIUM | Regex |
| PF-NET-002 | Binding to :: | MEDIUM | Regex |
| PF-NET-003 | Debug Mode Enabled | MEDIUM | Regex |
| PF-NET-004 | Dangerous Port Exposed | MEDIUM | Regex |
Cryptography (PF-CRYP-001 to PF-CRYP-005, CWE-327/328)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-CRYP-001 | MD5 Hash Usage | MEDIUM | AST |
| PF-CRYP-002 | SHA1 Hash Usage | MEDIUM | AST |
| PF-CRYP-003 | DES/3DES Usage | HIGH | AST |
| PF-CRYP-004 | Random for Crypto | HIGH | AST |
| PF-CRYP-005 | Hardcoded Encryption Key | CRITICAL | Regex |
systemd (PF-SYSD-001 to PF-SYSD-005, CWE-522)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-SYSD-001 | Secret in Environment= | HIGH | Regex |
| PF-SYSD-002 | Missing ProtectSystem | LOW | Text |
| PF-SYSD-003 | Root Without Hardening | MEDIUM | Regex |
| PF-SYSD-004 | World-Readable EnvironmentFile | HIGH | Stat |
| PF-SYSD-005 | ExecStart with Elevated Privs | MEDIUM | Regex |
Permissions (PF-PERM-001 to PF-PERM-004, CWE-732)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-PERM-001 | World-Writable File | HIGH | Stat |
| PF-PERM-002 | Secret File Not 0600 | HIGH | Stat |
| PF-PERM-003 | SUID/SGID on Script | CRITICAL | Stat |
| PF-PERM-004 | Private Key World-Readable | CRITICAL | Stat |
Async/Sync (PF-ASYN-001 to PF-ASYN-005, CWE-834)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-ASYN-001 | Sync Call in async def | MEDIUM | AST |
| PF-ASYN-002 | Missing await on Coroutine | HIGH | AST |
| PF-ASYN-003 | Blocking I/O in async def | LOW | AST |
| PF-ASYN-004 | CPU-Bound in async def | LOW | AST |
| PF-ASYN-005 | asyncio.sleep(0) Busy Loop | LOW | AST |
Dependencies (PF-DEP-001 to PF-DEP-003, CWE-1104)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-DEP-001 | Unpinned Dependency | LOW | Regex |
| PF-DEP-002 | Unpinned Docker Image | MEDIUM | Regex |
| PF-DEP-003 | Known Vulnerable Package | HIGH | Regex |
Docker (PF-DOCK-001 to PF-DOCK-008, CWE-250)
| Rule ID | Title | Severity | Method |
|---|---|---|---|
| PF-DOCK-001 | Container Running as Root | MEDIUM | Regex |
| PF-DOCK-002 | Docker Socket Mounted | CRITICAL | Regex |
| PF-DOCK-003 | Privileged Mode | CRITICAL | Regex |
| PF-DOCK-004 | Missing no-new-privileges | LOW | Text |
| PF-DOCK-005 | Host Network Mode | HIGH | Regex |
| PF-DOCK-006 | Latest Tag Usage | LOW | Regex |
| PF-DOCK-007 | Secrets in ENV/ARG | HIGH | Regex |
| PF-DOCK-008 | No HEALTHCHECK | LOW | Regex |
SARIF Integration
SARIF output is compatible with:
- GitHub Code Scanning: Upload via
github/codeql-action/upload-sarif - VS Code: Install the SARIF Viewer extension
- Azure DevOps: Native SARIF support in pipelines
Example GitHub Actions workflow:
- name: Run Pathfinder
run: pathfinder . --format sarif > pathfinder.sarif
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: pathfinder.sarif
Configuration
Create a .pathfinder.yml in your project root:
exclude_paths:
- "vendor/"
- "node_modules/"
- ".venv/"
min_severity: low
exclude_rules: []
extensions:
- ".py"
- ".service"
- ".yml"
- ".yaml"
- ".txt"
- ".toml"
License
MIT -- Copyright (c) 2024 QENEX LTD
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.