Python Security Scan
SKILL.md
Python Security Scan Skill
This skill enables comprehensive security scanning of Python projects based on OWASP guidelines, Python security best practices, and framework-specific vulnerabilities.
When to Use This Skill
- Security audits of Python applications
- Code review for security vulnerabilities
- Pre-deployment security checks
- Dependency vulnerability assessment
- Detecting hardcoded secrets and credentials
- Framework-specific security reviews (Flask, Django, FastAPI)
Supported Frameworks
This skill automatically detects and applies framework-specific checks for:
- Flask - Template injection, session security, CORS, extensions
- Django - ORM injection, CSRF, template security, settings
- FastAPI - Dependency injection, Pydantic validation, OAuth2
- General Python - Core language vulnerabilities applicable to all projects
Scan Types
1. Quick Scan
Fast scan focusing on critical vulnerabilities:
- Hardcoded secrets, API keys, and credentials
- Dangerous function usage (
eval,exec,pickle.loads) - Command injection via
subprocess,os.system - SQL injection patterns
- Known vulnerable dependencies
2. Full Scan
Comprehensive security assessment covering:
- All OWASP Top 10:2025 categories
- Python-specific vulnerabilities
- Framework-specific security issues
- Injection vulnerabilities (SQL, NoSQL, Command, LDAP)
- Insecure deserialization
- Authentication and authorization flaws
- Cryptographic failures
- Security misconfigurations
- Dependency audit (CVE check)
- Environment variable and secrets exposure
3. Targeted Scan
Focus on specific vulnerability categories:
--injection- SQL/NoSQL/Command/LDAP injection--deserialization- Pickle, YAML, JSON deserialization--auth- Authentication/authorization issues--secrets- Hardcoded credentials--deps- Dependency vulnerabilities--crypto- Cryptographic issues--flask- Flask-specific vulnerabilities--django- Django-specific vulnerabilities--fastapi- FastAPI-specific vulnerabilities
Scan Procedure
Step 1: Project Discovery
- Identify project type and framework:
- Check for
requirements.txt,Pipfile,pyproject.toml,setup.py - Detect Flask (
from flask import), Django (django.conf), FastAPI (from fastapi import)
- Check for
- Locate configuration files
- Map the codebase structure
Step 2: Framework Detection
# Detection patterns
Flask: "from flask import", "Flask(__name__)"
Django: "django.conf.settings", "INSTALLED_APPS", "manage.py"
FastAPI: "from fastapi import", "FastAPI()"
Step 3: Dependency Audit
Run the dependency audit script:
./scripts/dependency-audit.sh /path/to/project
Or manually:
pip-audit
# or
safety check
Step 4: Secret Scanning
Scan for hardcoded secrets:
python scripts/secret-scanner.py /path/to/project
Important: Environment File Handling
- By default, real
.envfiles are SKIPPED (.env,.env.local,.env.production, etc.) - These files contain actual secrets and should not be in version control
- Only
.env.exampleand.env.templatefiles are analyzed for documentation quality - Use
--include-env-filesflag only if explicitly requested by user
The scanner will:
- Scan source code for hardcoded secrets
- Analyze
.env.exampletemplates to check:- Which sensitive variables are documented
- Whether variables have descriptions (comments)
- If placeholder values look like real secrets
- Suggestions for missing common variables (SECRET_KEY, DATABASE_URL, etc.)
Step 5: Pattern Analysis
For each file in the codebase, check against patterns in:
references/python-vulnerabilities.md- Core Python issuesreferences/injection-patterns.md- Injection flawsreferences/deserialization.md- Insecure deserializationreferences/flask-security.md- Flask vulnerabilitiesreferences/django-security.md- Django vulnerabilitiesreferences/fastapi-security.md- FastAPI vulnerabilities
Step 6: Report Generation
Generate a security report using:
assets/report-template.md- Report structure
Severity Classification
| Severity | Description | Action Required |
|---|---|---|
| CRITICAL | Exploitable vulnerability with severe impact | Immediate fix required |
| HIGH | Significant security risk | Fix before deployment |
| MEDIUM | Potential security issue | Fix in next release |
| LOW | Minor security concern | Consider fixing |
| INFO | Security best practice suggestion | Optional improvement |
Key Files to Scan
Always Check
**/*.py- All Python source filesrequirements.txt,Pipfile,pyproject.toml- Dependenciessetup.py,setup.cfg- Package configurationconfig.py,settings.py- Configuration files**/secrets*,**/credentials*- Obvious secret locations
Environment Files
.env.example,.env.template- SCAN for template analysis.env,.env.local,.env.production- SKIP by default (contain real secrets)
Note: Real .env files should never be committed to version control. The scanner analyzes .env.example templates to ensure proper documentation of required variables.
High Priority Locations
app.py,main.py,wsgi.py- Entry points**/views.py,**/routes.py- Request handlers**/api/**/*.py- API endpoints**/auth*,**/login*- Authentication code**/models.py- Database models**/serializers.py- Data serialization**/middleware.py- Middleware code
Framework-Specific
Flask:
app.py,__init__.py- Application factory**/blueprints/**- Blueprint routestemplates/**- Jinja2 templates
Django:
settings.py,**/settings/*.py- Django settingsurls.py- URL configuration**/views.py- View functions/classes**/forms.py- Form definitionstemplates/**- Django templates
FastAPI:
main.py- Application entry**/routers/**- API routers**/dependencies.py- Dependency injection**/schemas.py- Pydantic models
Output Format
Findings should be reported as:
[SEVERITY] Category: Description
File: path/to/file.py:lineNumber
Code: <relevant code snippet>
Risk: <explanation of the security risk>
Fix: <recommended remediation>
Integration with CI/CD
This skill can generate output compatible with:
- GitHub Security Advisories
- SARIF format for GitHub Code Scanning
- JSON for custom integrations
- JUnit XML for CI pipelines
References
Load additional context as needed:
references/owasp-top-10.md- OWASP Top 10:2025 quick referencereferences/python-vulnerabilities.md- Python-specific vulnerabilitiesreferences/injection-patterns.md- Injection vulnerability patternsreferences/deserialization.md- Insecure deserialization patternsreferences/flask-security.md- Flask security guidereferences/django-security.md- Django security guidereferences/fastapi-security.md- FastAPI security guide