Track tainted input through branches using Pin

My aim is to taint the input and track it through every branch, that is, check if either of the operands to a cmp is tainted, and if it is, get the value it is being compared to.

So far, my plan is to check every instruction’s disassembly and see if the string "cmp" exists. If it does, I’ll write a series of INS_OperandIsReg, INS_OperandIsImmediate and INS_OperandIsMemory, and then check if the reg/memory is tainted. If it is, I’ll fetch the value.
Also, is there a way possible to only run this on the first cmp instruction (apart from an extra counter maybe) ?

The issue is that this plan seems way too hack-ish and there must be some way to achieve what I’m aiming for in a much more formal way, something I’m missing in the documentation. Any suggestions or ideas would be appreciated.

Thank you.