Frameworks & libraries scanned
We test fixture coverage on these frameworks. New patterns are added with each builtin rule release.
Top CWE classes detected
These CWE classes appear most often in modern codebases of this language. StaticCodeAudit ships dedicated rules for each, mapped to OWASP Top 10 / ISO 27001 / ASVS where relevant.
CWE-89
SQL Injection
String formatting or f-strings used to build SQL queries — typical with cursor.execute(f"SELECT ... {user_input}"), Django .raw() with concat, or SQLAlchemy .text() without bind parameters.
Detected by SCA rule: sql_injection_fstring
CWE-78
OS Command Injection
subprocess.run(shell=True, ...), os.system() with user input. The shell=True flag enables shell metacharacter abuse.
Detected by SCA rule: os_system_injection
CWE-502
Insecure Deserialization
pickle.loads(), yaml.load() without SafeLoader, shelve, or marshal on untrusted bytes. Equivalent to remote code execution.
Detected by SCA rule: unsafe_deserialization
CWE-918
SSRF
requests.get(user_url), urllib.request.urlopen() on user-controlled URLs without scheme/host allow-list. Lets attackers reach internal services (metadata endpoints, RDS, etc.).
Detected by SCA rule: taint_ssrf
CWE-798
Hardcoded Credentials
API keys, JWT secrets, database passwords in source files. Detected by entropy + known patterns (AWS, Stripe, GitHub, Slack, etc.).
Detected by SCA rule: hardcoded_secret
CWE-94
Code Injection via dynamic compile
Calls to Python\'s dynamic compilation built-ins on data partially controlled by user input.
Detected by SCA rule: dangerous_eval
Vulnerable vs. clean — three quick examples
CWE-89
Detected by SCA rule: sql_injection_fstring
# Vulnerable — Flask + SQLAlchemy raw
@app.route('/user/<name>')
def user(name):
sql = f"SELECT * FROM users WHERE name = '{name}'"
return db.engine.execute(sql).fetchone()# Clean — bind parameter
@app.route('/user/<name>')
def user(name):
sql = text("SELECT * FROM users WHERE name = :name")
return db.engine.execute(sql, {"name": name}).fetchone()CWE-78
Detected by SCA rule: os_system_injection
# Vulnerable — shell=True with user input
import subprocess
def ping(host):
return subprocess.run(f"ping -c 1 {host}", shell=True)# Clean — argument list, no shell
import subprocess
def ping(host):
return subprocess.run(["ping", "-c", "1", host], check=False)CWE-502
Detected by SCA rule: unsafe_deserialization
# Vulnerable — yaml.load without SafeLoader
import yaml
def load_config(blob):
return yaml.load(blob) # full Loader = RCE# Clean — yaml.safe_load
import yaml
def load_config(blob):
return yaml.safe_load(blob)What StaticCodeAudit detects (this language)
- SQL injection in raw SQL, f-strings,
.format(), Django.raw(), SQLAlchemy.text()without binds - OS command injection (
subprocesswithshell=True,os.system,os.popen) - Insecure deserialization (
pickle,yaml.load,marshal,shelve) - SSRF via
requests,urllib,aiohttpwith user-controlled URLs - Hardcoded secrets (AWS, Stripe, GitHub PAT, Slack tokens, JWT secrets, DB passwords, PEM keys)
- XXE and XML billion-laughs (
xml.etree,lxmlwithout resolver disabled) - Path traversal (
os.path.joinwith user input,open()without root anchor) - Insecure cookies (Flask/Django
Secure/HttpOnly/SameSiteflags missing) - CSRF exempt (
@csrf_exempt, Flask withoutflask-wtf) - Insecure crypto (MD5/SHA1 for security, ECB mode, hardcoded IV, weak random)
- Debug mode enabled in Flask / Django production config
- Insecure JWT (algorithm
none, hardcoded secret, no expiry) - Deprecated APIs (PyCrypto, ssl.TLSv1, urllib2-style)
- PII in logs and exception messages
- CI/CD misconfigurations (.gitlab-ci.yml, GitHub Actions: untrusted checkout, secrets in logs)
Audit your codebase
Audit your Python code for OWASP Top 10 vulnerabilities, framework-specific misconfigurations and dependency risks — without sending a single line to the cloud. Covers Django, Flask, FastAPI, SQLAlchemy and the standard library.
Download demo binary Book a walkthrough