qenex-pathfinder

qenex-pathfinder

Provides security scanning tools for Claude Code, enabling real-time vulnerability detection, code analysis, and rule explanations for codebases.

Category
访问服务器

README

qenex-pathfinder

A standalone Python security audit tool that scans codebases for vulnerabilities, misconfigurations, and dangerous patterns. Works as a CLI tool, a CI check, and an MCP server for Claude Code integration.

Features

  • 60+ security checks across 12 categories (credentials, SQL injection, command injection, XXE, CORS, network, crypto, systemd, permissions, async/sync, dependencies, Docker)
  • AST-based analysis for Python files -- avoids false positives from comments and docstrings
  • Regex-based rules for config files, systemd units, Dockerfiles, and YAML
  • Three output formats: colored text, JSON, SARIF 2.1.0 (GitHub Code Scanning / VS Code compatible)
  • MCP server for real-time scanning from Claude Code
  • Configurable via .pathfinder.yml
  • Zero mandatory dependencies beyond PyYAML (MCP is optional)

Installation

# From source
cd qenex-pathfinder
pip install .

# With MCP support
pip install .[mcp]

# Development
pip install .[dev]

CLI Usage

# Scan current directory
pathfinder .

# Scan a specific file
pathfinder /path/to/app.py

# Filter by severity
pathfinder . --severity high

# JSON output
pathfinder . --format json

# SARIF output (for CI)
pathfinder . --format sarif > results.sarif

# Run specific rules only
pathfinder . --rules PF-CRED-001,PF-SQLI-001

# Exclude paths
pathfinder . --exclude vendor/,test_data/

# Use custom config
pathfinder . --config /path/to/.pathfinder.yml

# Run as module
python -m pathfinder .

Exit Codes

Code Meaning
0 No findings at or above the requested severity
1 One or more findings found

MCP Server (Claude Code Integration)

Start the MCP server for interactive scanning from Claude Code:

pathfinder --mcp

Or add to your Claude Code MCP configuration:

{
  "mcpServers": {
    "pathfinder": {
      "command": "pathfinder",
      "args": ["--mcp"]
    }
  }
}

MCP Tools

Tool Description
scan_path Scan a file or directory
scan_file_content Scan source code text directly
list_rules List all available security rules
explain_finding Get details about a specific rule ID

Rule Reference

Credentials (PF-CRED-001 to PF-CRED-006, CWE-798)

Rule ID Title Severity Method
PF-CRED-001 Private Key in Config CRITICAL Regex
PF-CRED-002 API Key in Source HIGH Regex
PF-CRED-003 Password Default Fallback HIGH AST
PF-CRED-004 Hardcoded JWT/Bearer HIGH Regex
PF-CRED-005 Cloud Provider Creds CRITICAL Regex
PF-CRED-006 SSH Private Key Content CRITICAL Regex

SQL Injection (PF-SQLI-001 to PF-SQLI-004, CWE-89)

Rule ID Title Severity Method
PF-SQLI-001 f-string in SQL Execute CRITICAL AST
PF-SQLI-002 .format() in SQL Execute CRITICAL AST
PF-SQLI-003 String Concatenation in SQL HIGH AST
PF-SQLI-004 Subprocess sqlite3 Interpolation HIGH AST

Command Injection (PF-CMDI-001 to PF-CMDI-005, CWE-78)

Rule ID Title Severity Method
PF-CMDI-001 shell=True with Variable CRITICAL AST
PF-CMDI-002 os.system() Call HIGH AST
PF-CMDI-003 os.popen() Call HIGH AST
PF-CMDI-004 eval() with User Input HIGH AST
PF-CMDI-005 exec() with User Input HIGH AST

XXE and Deserialization (PF-XXE-001 to PF-XXE-005, CWE-611/502)

Rule ID Title Severity Method
PF-XXE-001 Unsafe xml.etree MEDIUM AST
PF-XXE-002 Unsafe xml.sax MEDIUM AST
PF-XXE-003 Unsafe lxml Parser MEDIUM AST
PF-XXE-004 Unsafe pickle HIGH AST
PF-XXE-005 Unsafe yaml.load() HIGH AST

CORS (PF-CORS-001 to PF-CORS-003, CWE-942)

Rule ID Title Severity Method
PF-CORS-001 CORS Allow All Origins MEDIUM AST
PF-CORS-002 CORS Header Wildcard MEDIUM Regex
PF-CORS-003 CORS Credentials Wildcard HIGH AST

Network (PF-NET-001 to PF-NET-004, CWE-668)

Rule ID Title Severity Method
PF-NET-001 Binding to 0.0.0.0 MEDIUM Regex
PF-NET-002 Binding to :: MEDIUM Regex
PF-NET-003 Debug Mode Enabled MEDIUM Regex
PF-NET-004 Dangerous Port Exposed MEDIUM Regex

Cryptography (PF-CRYP-001 to PF-CRYP-005, CWE-327/328)

Rule ID Title Severity Method
PF-CRYP-001 MD5 Hash Usage MEDIUM AST
PF-CRYP-002 SHA1 Hash Usage MEDIUM AST
PF-CRYP-003 DES/3DES Usage HIGH AST
PF-CRYP-004 Random for Crypto HIGH AST
PF-CRYP-005 Hardcoded Encryption Key CRITICAL Regex

systemd (PF-SYSD-001 to PF-SYSD-005, CWE-522)

Rule ID Title Severity Method
PF-SYSD-001 Secret in Environment= HIGH Regex
PF-SYSD-002 Missing ProtectSystem LOW Text
PF-SYSD-003 Root Without Hardening MEDIUM Regex
PF-SYSD-004 World-Readable EnvironmentFile HIGH Stat
PF-SYSD-005 ExecStart with Elevated Privs MEDIUM Regex

Permissions (PF-PERM-001 to PF-PERM-004, CWE-732)

Rule ID Title Severity Method
PF-PERM-001 World-Writable File HIGH Stat
PF-PERM-002 Secret File Not 0600 HIGH Stat
PF-PERM-003 SUID/SGID on Script CRITICAL Stat
PF-PERM-004 Private Key World-Readable CRITICAL Stat

Async/Sync (PF-ASYN-001 to PF-ASYN-005, CWE-834)

Rule ID Title Severity Method
PF-ASYN-001 Sync Call in async def MEDIUM AST
PF-ASYN-002 Missing await on Coroutine HIGH AST
PF-ASYN-003 Blocking I/O in async def LOW AST
PF-ASYN-004 CPU-Bound in async def LOW AST
PF-ASYN-005 asyncio.sleep(0) Busy Loop LOW AST

Dependencies (PF-DEP-001 to PF-DEP-003, CWE-1104)

Rule ID Title Severity Method
PF-DEP-001 Unpinned Dependency LOW Regex
PF-DEP-002 Unpinned Docker Image MEDIUM Regex
PF-DEP-003 Known Vulnerable Package HIGH Regex

Docker (PF-DOCK-001 to PF-DOCK-008, CWE-250)

Rule ID Title Severity Method
PF-DOCK-001 Container Running as Root MEDIUM Regex
PF-DOCK-002 Docker Socket Mounted CRITICAL Regex
PF-DOCK-003 Privileged Mode CRITICAL Regex
PF-DOCK-004 Missing no-new-privileges LOW Text
PF-DOCK-005 Host Network Mode HIGH Regex
PF-DOCK-006 Latest Tag Usage LOW Regex
PF-DOCK-007 Secrets in ENV/ARG HIGH Regex
PF-DOCK-008 No HEALTHCHECK LOW Regex

SARIF Integration

SARIF output is compatible with:

  • GitHub Code Scanning: Upload via github/codeql-action/upload-sarif
  • VS Code: Install the SARIF Viewer extension
  • Azure DevOps: Native SARIF support in pipelines

Example GitHub Actions workflow:

- name: Run Pathfinder
  run: pathfinder . --format sarif > pathfinder.sarif
  continue-on-error: true

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: pathfinder.sarif

Configuration

Create a .pathfinder.yml in your project root:

exclude_paths:
  - "vendor/"
  - "node_modules/"
  - ".venv/"
min_severity: low
exclude_rules: []
extensions:
  - ".py"
  - ".service"
  - ".yml"
  - ".yaml"
  - ".txt"
  - ".toml"

License

MIT -- Copyright (c) 2024 QENEX LTD

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选