Security Validations#
This section outlines the default security validations implemented in Python Code Audit.
Python Code Audit performs several types of analysis on Python programs, including:
Static Application Security Testing (SAST): Analyzes Python code statically to detect potential security vulnerabilities without executing it.
Cyclomatic Complexity Analysis: Calculates complexity scores for each package and file to assess code maintainability and potential risk areas.
Vulnerability Reporting: Identifies and reports known security vulnerabilities in the external modules used by the application.
Static Application Security Validation Checks#
A core feature of Python Code Audit is performing Static Application Security Testing (SAST) on Python files and packages (directories).
The tool’s validation process targets common security weaknesses frequently found in Python programs, particularly those involving the use of Python Standard Library (PSL) calls.
Python Code Audit includes the most comprehensive collection of security rules for verifying the secure use of Python Standard Library functions. It analyzes your code for potential vulnerabilities based on these rules — all without executing the code.
All rules in Python Code Audit are based on:
Common software flaws listed among the CWE Top Dangerous Software Weaknesses relevant to Python
Community input and contributions from security practitioners
Real-world experience in mitigating vulnerabilities in Python applications
Frequently reported security issues found in Python codebases
Hidden code tricks that is on purpose obfuscated using advanced mechanisms. Most Python SAST scanners will not find these vulnerabilities!
Security-by-design principles, specifically tailored for Python development
Since Python Code Audit is Free and Open Source Software (FOSS), all validation rules are completely open and transparent — available for anyone to use, review, and extend.
If you notice a missing validation rule, we encourage you to contribute! See the Contributing section for details on how to get involved and help improve Python Code Audit.
Join the community!
Join the community and be part of building the most comprehensive, local-first Python Security Audit Scanner. Help us make Python code more secure — join the journey!
Or align your brand with us — associate with an amazing open community around Python Code Audit, reinforcing your commitment to security innovation.
Note
If the program uses modules from external modules that are not part of The Python Standard Library (PSL):
Run Python Code Audit against this package and
Run
codeaudit modulescanto check if known vulnerabilities are reported for this module.
Implemented validations#
Python Code Audit Implemented validations
| name | construct | severity | info |
|---|---|---|---|
| Dynamic Imports | __import__ | Medium | Importing modules dynamically can load untrusted code. |
| Assertions | assert | Low | Assertions are for debugging and development. Assertions can be disabled during runtime. Use in production can introduce vulnerabilities. |
| Base64 Encoding | base64 | Low | Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code. |
| BZ2 File Handling | bz2.BZ2File | Medium | Decompressing untrusted data can lead to resource exhaustion attacks. |
| BZ2 File Handling | bz2.open | Medium | Decompressing untrusted data can lead to resource exhaustion attacks. |
| Dangerous Built-in: compile | compile | High | This function can be used to execute arbitrary code or crash the Python interpreter. |
| Zstandard (zstd) decompression | compression.zstd decompress |
High | Vulnerable to path traversal attacks if used with untrusted archives. |
| Zstandard (zstd) decompression | compression.zstd open |
High | Vulnerable to path traversal attacks if used with untrusted archives. |
| Unsafe Deserialization: multiprocessing | connection.recv | High | Uses pickle, which can execute arbitrary code when receiving data. |
| Overly Broad Exception Handling | continue | Low | Skipping over exceptions can mask critical errors and security risks. |
| Dangerous Built-in: eval | eval | High | This function can execute arbitrary code. Never safe with untrusted input. |
| Dangerous Built-in: exec | exec | High | This function can execute arbitrary code and should be used only with validated constructs. |
| Gzip File Handling | gzip.open | Medium | Risk of decompression bombs or resource exhaustion with untrusted data. |
| Insecure Hashing Algorithm | hashlib.md5 | High | MD5 is cryptographically broken and should not be used for security purposes. |
| Insecure Hashing Algorithm | hashlib.sha1 | High | SHA-1 is cryptographically broken and should not be used for security purposes. |
| HTTP Server (Base Handler) | http.server BaseHTTPRequestHandler |
High | These modules are for development only and are not secure for production use. |
| HTTP Server | http.server HTTPServer |
High | These modules are for development only and are not secure for production use. |
| Dynamic Imports | importlib.import_module | Medium | Importing modules dynamically can load untrusted code. |
| Input Function | input | Low | User input must be strictly sanitized and validated to prevent injection vulnerabilities. |
| Logging Configuration | logging.config | Medium | Parsing untrusted logging configurations can lead to vulnerabilities if not handled correctly. |
| LZMA File Handling | lzma.LZMAFile | Medium | Risk of decompression bombs or resource exhaustion with untrusted data. |
| LZMA File Handling | lzma.open | Medium | Risk of decompression bombs or resource exhaustion with untrusted data. |
| Marshal Usage | marshal.load | High | This module is not secure and should not be used to deserialize data from untrusted sources. |
| Marshal Usage | marshal.loads | High | This module is not secure and should not be used to deserialize data from untrusted sources. |
| Unsafe Deserialization: multiprocessing | multiprocessing.connection Connection |
High | Relies on pickle; dangerous with untrusted data. |
| OS Access | os.access | High | Direct OS function calls can have significant security implications and require careful review. |
| OS File Permissions | os.chmod | High | Changing permissions carelessly can expose sensitive files. |
| OS Execution | os.execl | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execle | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execlp | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execlpe | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execv | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execve | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execvp | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Execution | os.execvpe | High | Direct OS function calls can have significant security implications and require careful review. |
| OS Forking | os.fork | Low | On macOS use of this function is unsafe when mixed with using higher-level system APIs, and that includes using urllib.request. |
| OS Interfaces | os.forkpty | Low | Use of forkpty can be unsafe when used on MacOS. |
| Directory Creation | os.makedev | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.makedirs | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.mkdir | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.mkfifo | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| Directory Creation | os.mknod | Low | Direct file system calls require careful input validation to prevent vulnerabilities. |
| OS Execution | os.popen | High | Direct OS function calls can have significant security implications and require careful review. |
| OS File Operations | os.read | Low | Reading from unvalidated file descriptors can lead to information disclosure. |
| OS Execution | os.system | High | Direct OS function calls can have significant security implications and require careful review. |
| OS File Operations | os.write | Low | Writing to unvalidated or unintended file descriptors can lead to data corruption, privilege escalation, or denial of service. |
| OS File Operations | os.writev | Low | Writing to unvalidated or unintended file descriptors can lead to data corruption, privilege escalation, or denial of service. |
| Overly Broad Exception Handling | pass | Low | Using `pass` in an `except` block can silently ignore critical security exceptions. |
| Pickle Usage | pickle.Unpickler | High | Deserializing untrusted data with `pickle` can lead to arbitrary code execution. |
| Pickle Usage | pickle.load | High | Deserializing untrusted data with `pickle` can lead to arbitrary code execution. |
| Pickle Usage | pickle.loads | High | Deserializing untrusted data with `pickle` can lead to arbitrary code execution. |
| Cryptographically Unsafe Randomness | random.Random | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.randbytes | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.randint | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.random | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.randrange | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.seed | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.triangular | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Cryptographically Unsafe Randomness | random.uniform | Low | The pseudo-random generators in this module are not suitable for security purposes. |
| Insecure Network Binding | s.bind | Medium | Binding to all interfaces can expose the service to a wider network attack surface. |
| Shelve Usage | shelve.DbfilenameShelf | High | The `shelve` module uses `pickle` internally, making it unsafe for untrusted data. |
| Shelve Usage | shelve.open | High | The `shelve` module uses `pickle` internally, making it unsafe for untrusted data. |
| Shutil Operations | shutil.chown | Medium | Changing file ownership can introduce vulnerabilities. |
| Shutil Copying | shutil.copy | Medium | Files may be copied without authorization if paths are not validated. |
| Shutil Copying | shutil.copy2 | Medium | Files may be copied without authorization if paths are not validated. |
| Shutil Copying | shutil.copytree | Medium | Files may be copied without authorization if paths are not validated. |
| Shutil Removal | shutil.rmtree | Medium | Vulnerable to path traversal attacks if not used carefully. |
| Shutil Extraction | shutil.unpack_archive | Medium | Untrusted archives can contain malicious paths or payloads. |
| Subprocess Usage | subprocess.Popen | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.call | High | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.check_call | High | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.check_output | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.getoutput | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.getstatusoutput | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Subprocess Usage | subprocess.run | Medium | Requires careful input validation to prevent command injection vulnerabilities. |
| Sys Calls | sys.call_tracing | Medium | Provides low-level access to interpreter execution; dangerous if exposed. |
| Sys Calls | sys.setprofile | Medium | Provides low-level access to interpreter execution; dangerous if exposed. |
| Sys Calls | sys.settrace | Medium | Provides low-level access to interpreter execution; dangerous if exposed. |
| Tarfile Extraction | tarfile.TarFile | High | Vulnerable to path traversal attacks if used with untrusted archives. |
| Tempfile | tempfile.mktemp | Low | This function is deprecated because of race conditions that can lead to security vulnerabilities. |
| XML-RPC Client | xmlrpc.client | High | Vulnerable to denial-of-service via decompression bombs. |
| XML-RPC Server | xmlrpc.server SimpleXMLRPCServer |
High | Vulnerable to denial-of-service via decompression bombs. |
| Zipfile Extraction | zipfile.ZipFile | High | Vulnerable to path traversal attacks if used with untrusted archives. |
Number of implemented security validations:83
Version of codeaudit: 1.6.2
Because Python and cybersecurity are constantly changing, issue reports SHOULD specify the codeaudit version used.
Disclaimer: This SAST tool Python Code Audit provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.
This Python security report was created on: 2026-04-09 17:20 with Python Code Audit version 1.6.2