Comprehensive security vulnerability scanner for Python projects including Flask, Django, and FastAPI applications...
This skill enables comprehensive security scanning of Python projects based on OWASP guidelines, Python security best practices, and framework-specific vulnerabilities.
This skill automatically detects and applies framework-specific checks for:
Fast scan focusing on critical vulnerabilities:
eval, exec, pickle.loads)subprocess, os.systemComprehensive security assessment covering:
Focus on specific vulnerability categories:
--injection - SQL/NoSQL/Command/LDAP injection--deserialization - Pickle, YAML, JSON deserialization--auth - Authentication/authorization issues--secrets - Hardcoded credentials--deps - Dependency vulnerabilities--crypto - Cryptographic issues--flask - Flask-specific vulnerabilities--django - Django-specific vulnerabilities--fastapi - FastAPI-specific vulnerabilitiesrequirements.txt, Pipfile, pyproject.toml, setup.pyfrom flask import), Django (django.conf), FastAPI (from fastapi import)# Detection patterns
Flask: "from flask import", "Flask(__name__)"
Django: "django.conf.settings", "INSTALLED_APPS", "manage.py"
FastAPI: "from fastapi import", "FastAPI()"
Run the dependency audit script:
./scripts/dependency-audit.sh /path/to/project
Or manually:
pip-audit
# or
safety check
Scan for hardcoded secrets:
python scripts/secret-scanner.py /path/to/project
Important: Environment File Handling
.env files are SKIPPED (.env, .env.local, .env.production, etc.).env.example and .env.template files are analyzed for documentation quality--include-env-files flag only if explicitly requested by userThe scanner will:
.env.example templates to check:For each file in the codebase, check against patterns in:
references/python-vulnerabilities.md - Core Python issuesreferences/injection-patterns.md - Injection flawsreferences/deserialization.md - Insecure deserializationreferences/flask-security.md - Flask vulnerabilitiesreferences/django-security.md - Django vulnerabilitiesreferences/fastapi-security.md - FastAPI vulnerabilitiesGenerate a security report using:
assets/report-template.md - Report structure| Severity | Description | Action Required |
|---|---|---|
| CRITICAL | Exploitable vulnerability with severe impact | Immediate fix required |
| HIGH | Significant security risk | Fix before deployment |
| MEDIUM | Potential security issue | Fix in next release |
| LOW | Minor security concern | Consider fixing |
| INFO | Security best practice suggestion | Optional improvement |
**/*.py - All Python source filesrequirements.txt, Pipfile, pyproject.toml - Dependenciessetup.py, setup.cfg - Package configurationconfig.py, settings.py - Configuration files**/secrets*, **/credentials* - Obvious secret locations.env.example, .env.template - SCAN for template analysis.env, .env.local, .env.production - SKIP by default (contain real secrets)Note: Real .env files should never be committed to version control. The scanner analyzes .env.example templates to ensure proper documentation of required variables.
app.py, main.py, wsgi.py - Entry points**/views.py, **/routes.py - Request handlers**/api/**/*.py - API endpoints**/auth*, **/login* - Authentication code**/models.py - Database models**/serializers.py - Data serialization**/middleware.py - Middleware codeFlask:
app.py, __init__.py - Application factory**/blueprints/** - Blueprint routestemplates/** - Jinja2 templatesDjango:
settings.py, **/settings/*.py - Django settingsurls.py - URL configuration**/views.py - View functions/classes**/forms.py - Form definitionstemplates/** - Django templatesFastAPI:
main.py - Application entry**/routers/** - API routers**/dependencies.py - Dependency injection**/schemas.py - Pydantic modelsFindings should be reported as:
[SEVERITY] Category: Description
File: path/to/file.py:lineNumber
Code: <relevant code snippet>
Risk: <explanation of the security risk>
Fix: <recommended remediation>
This skill can generate output compatible with:
Load additional context as needed:
references/owasp-top-10.md - OWASP Top 10:2025 quick referencereferences/python-vulnerabilities.md - Python-specific vulnerabilitiesreferences/injection-patterns.md - Injection vulnerability patternsreferences/deserialization.md - Insecure deserialization patternsreferences/flask-security.md - Flask security guidereferences/django-security.md - Django security guidereferences/fastapi-security.md - FastAPI security guide