PathFinder — Simplifying Code Review with Call Graph Visualization

As developers and security engineers, we often face challenges in understanding complex codebases and tracking function calls during secure code review processes. To address these challenges, I developed PathFinder, a lightweight VS Code extension designed to visualize call graphs and provide actionable insights into your code structure.
PathFinder simplifies code review tasks and offers features like endpoint detection, function inspection, and route highlighting. I believe this extension will take a huge load off my daily work as it evolves, but of course, I have to admit it’s still very much in the early stages right now.
See It in Action
Features
If I were to briefly talk about PathFinder’s features:
- It visualizes function call graphs, making it easier to understand complex codebases.
- Detects and highlights HTTP endpoints in your projects.
- Offers an interactive experience — click nodes to trace paths or jump straight to the code with a simple command.
- Lets you filter out common functions like
Println()
and search for specific ones to focus your analysis. - And of course, it supports a dark mode for a better, distraction-free experience.
Real-World Use Cases
PathFinder is designed to fit into real-world secure code review workflows. Here are some scenarios:
- Analyzing Vulnerable Functions
Quickly trace paths leading to a vulnerable function to assess its accessibility and exploitability. - Endpoint Branching
Visualize how exposed endpoints branch into internal logic and analyze their flows. - Code Cleanup
Spot unused functions floating aimlessly in the graph, indicating areas that might need cleanup or refactoring. - Function Relationships
Understand the relationships between functions and their arguments to detect potential issues in the flow.
Supported Languages
PathFinder currently supports Golang. However, additional languages like Python and Java are on the roadmap. Contributions to support other languages are highly encouraged. If you’re a developer/security engineer interested in extending PathFinder, check out the project.
How It Works
- Parsing and Visualization
PathFinder parses your source files using language-specific analyzers located in thetools/
directory. These analyzers output data in a consistent JSON format for an easy integration with the visualization script. - Example Output
Below is an example of how PathFinder processes Go source code:
Input:
func AdditionalFunction3() {
fmt.Println("Inside additionalFunction")
branchX()
}
func branchX() {
fmt.Println("Inside branchX")
}
Output:
{
"nodes": [
{
"id": "AdditionalFunction3",
"name": "AdditionalFunction3",
"args": [],
"returns": []
},
{
"id": "branchX",
"name": "branchX",
"args": [],
"returns": []
},
{
"id": "Println",
"name": "Println",
"args": [
"\"Inside additionalFunction\""
],
"returns": []
}
],
"edges": [
{
"source": "AdditionalFunction3",
"target": "Println",
"line": 2,
"file": "../../example/folder1/third.go",
"endpoint": ""
},
{
"source": "AdditionalFunction3",
"target": "branchX",
"line": 4,
"file": "../../example/folder1/third.go",
"endpoint": ""
},
{
"source": "branchX",
"target": "Println",
"line": 7,
"file": "../../example/folder1/third.go",
"endpoint": ""
}
]
}
When we want to integrate a new analyzer for a different language, it will be sufficient to stick to the output format above.
Installation
Just download the extension from VsCode marketplace.
Closing Thoughts
PathFinder is still in its early stages, but I believe it can grow into a handy tool for secure code reviews. I’d love to hear your thoughts and ideas to help improve it further. Feel free to give it a try and share your feedback!
Contact
Twitter: https://x.com/fatihclk01
Linkedin: https://tr.linkedin.com/in/fatih--celik