Python Security Scan
Comprehensive security vulnerability scanner for Python projects including Flask, Django, and FastAPI applications. Detects OWASP Top 10 vulnerabilities, injection flaws, insecure deserialization, authentication issues, hardcoded secrets, and framework-specific security problems. Audits dependencies for known CVEs and generates actionable security reports.
Best use case
Python Security Scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Comprehensive security vulnerability scanner for Python projects including Flask, Django, and FastAPI applications. Detects OWASP Top 10 vulnerabilities, injection flaws, insecure deserialization, authentication issues, hardcoded secrets, and framework-specific security problems. Audits dependencies for known CVEs and generates actionable security reports.
Teams using Python Security Scan should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/python-security-scan/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Python Security Scan Compares
| Feature / Agent | Python Security Scan | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Comprehensive security vulnerability scanner for Python projects including Flask, Django, and FastAPI applications. Detects OWASP Top 10 vulnerabilities, injection flaws, insecure deserialization, authentication issues, hardcoded secrets, and framework-specific security problems. Audits dependencies for known CVEs and generates actionable security reports.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# Python Security Scan Skill This skill enables comprehensive security scanning of Python projects based on OWASP guidelines, Python security best practices, and framework-specific vulnerabilities. ## When to Use This Skill - Security audits of Python applications - Code review for security vulnerabilities - Pre-deployment security checks - Dependency vulnerability assessment - Detecting hardcoded secrets and credentials - Framework-specific security reviews (Flask, Django, FastAPI) ## Supported Frameworks This skill automatically detects and applies framework-specific checks for: - **Flask** - Template injection, session security, CORS, extensions - **Django** - ORM injection, CSRF, template security, settings - **FastAPI** - Dependency injection, Pydantic validation, OAuth2 - **General Python** - Core language vulnerabilities applicable to all projects ## Scan Types ### 1. Quick Scan Fast scan focusing on critical vulnerabilities: - Hardcoded secrets, API keys, and credentials - Dangerous function usage (`eval`, `exec`, `pickle.loads`) - Command injection via `subprocess`, `os.system` - SQL injection patterns - Known vulnerable dependencies ### 2. Full Scan Comprehensive security assessment covering: - All OWASP Top 10:2025 categories - Python-specific vulnerabilities - Framework-specific security issues - Injection vulnerabilities (SQL, NoSQL, Command, LDAP) - Insecure deserialization - Authentication and authorization flaws - Cryptographic failures - Security misconfigurations - Dependency audit (CVE check) - Environment variable and secrets exposure ### 3. Targeted Scan Focus on specific vulnerability categories: - `--injection` - SQL/NoSQL/Command/LDAP injection - `--deserialization` - Pickle, YAML, JSON deserialization - `--auth` - Authentication/authorization issues - `--secrets` - Hardcoded credentials - `--deps` - Dependency vulnerabilities - `--crypto` - Cryptographic issues - `--flask` - Flask-specific vulnerabilities - `--django` - Django-specific vulnerabilities - `--fastapi` - FastAPI-specific vulnerabilities ## Scan Procedure ### Step 1: Project Discovery 1. Identify project type and framework: - Check for `requirements.txt`, `Pipfile`, `pyproject.toml`, `setup.py` - Detect Flask (`from flask import`), Django (`django.conf`), FastAPI (`from fastapi import`) 2. Locate configuration files 3. Map the codebase structure ### Step 2: Framework Detection ```python # Detection patterns Flask: "from flask import", "Flask(__name__)" Django: "django.conf.settings", "INSTALLED_APPS", "manage.py" FastAPI: "from fastapi import", "FastAPI()" ``` ### Step 3: Dependency Audit Run the dependency audit script: ```bash ./scripts/dependency-audit.sh /path/to/project ``` Or manually: ```bash pip-audit # or safety check ``` ### Step 4: Secret Scanning Scan for hardcoded secrets: ```bash python scripts/secret-scanner.py /path/to/project ``` **Important: Environment File Handling** - By default, real `.env` files are **SKIPPED** (`.env`, `.env.local`, `.env.production`, etc.) - These files contain actual secrets and should not be in version control - Only `.env.example` and `.env.template` files are analyzed for documentation quality - Use `--include-env-files` flag only if explicitly requested by user The scanner will: 1. Scan source code for hardcoded secrets 2. Analyze `.env.example` templates to check: - Which sensitive variables are documented - Whether variables have descriptions (comments) - If placeholder values look like real secrets - Suggestions for missing common variables (SECRET_KEY, DATABASE_URL, etc.) ### Step 5: Pattern Analysis For each file in the codebase, check against patterns in: - `references/python-vulnerabilities.md` - Core Python issues - `references/injection-patterns.md` - Injection flaws - `references/deserialization.md` - Insecure deserialization - `references/flask-security.md` - Flask vulnerabilities - `references/django-security.md` - Django vulnerabilities - `references/fastapi-security.md` - FastAPI vulnerabilities ### Step 6: Report Generation Generate a security report using: - `assets/report-template.md` - Report structure ## Severity Classification | Severity | Description | Action Required | |----------|-------------|-----------------| | CRITICAL | Exploitable vulnerability with severe impact | Immediate fix required | | HIGH | Significant security risk | Fix before deployment | | MEDIUM | Potential security issue | Fix in next release | | LOW | Minor security concern | Consider fixing | | INFO | Security best practice suggestion | Optional improvement | ## Key Files to Scan ### Always Check - `**/*.py` - All Python source files - `requirements.txt`, `Pipfile`, `pyproject.toml` - Dependencies - `setup.py`, `setup.cfg` - Package configuration - `config.py`, `settings.py` - Configuration files - `**/secrets*`, `**/credentials*` - Obvious secret locations ### Environment Files - `.env.example`, `.env.template` - **SCAN** for template analysis - `.env`, `.env.local`, `.env.production` - **SKIP** by default (contain real secrets) **Note:** Real `.env` files should never be committed to version control. The scanner analyzes `.env.example` templates to ensure proper documentation of required variables. ### High Priority Locations - `app.py`, `main.py`, `wsgi.py` - Entry points - `**/views.py`, `**/routes.py` - Request handlers - `**/api/**/*.py` - API endpoints - `**/auth*`, `**/login*` - Authentication code - `**/models.py` - Database models - `**/serializers.py` - Data serialization - `**/middleware.py` - Middleware code ### Framework-Specific **Flask:** - `app.py`, `__init__.py` - Application factory - `**/blueprints/**` - Blueprint routes - `templates/**` - Jinja2 templates **Django:** - `settings.py`, `**/settings/*.py` - Django settings - `urls.py` - URL configuration - `**/views.py` - View functions/classes - `**/forms.py` - Form definitions - `templates/**` - Django templates **FastAPI:** - `main.py` - Application entry - `**/routers/**` - API routers - `**/dependencies.py` - Dependency injection - `**/schemas.py` - Pydantic models ## Output Format Findings should be reported as: ``` [SEVERITY] Category: Description File: path/to/file.py:lineNumber Code: <relevant code snippet> Risk: <explanation of the security risk> Fix: <recommended remediation> ``` ## Integration with CI/CD This skill can generate output compatible with: - GitHub Security Advisories - SARIF format for GitHub Code Scanning - JSON for custom integrations - JUnit XML for CI pipelines ## References Load additional context as needed: - `references/owasp-top-10.md` - OWASP Top 10:2025 quick reference - `references/python-vulnerabilities.md` - Python-specific vulnerabilities - `references/injection-patterns.md` - Injection vulnerability patterns - `references/deserialization.md` - Insecure deserialization patterns - `references/flask-security.md` - Flask security guide - `references/django-security.md` - Django security guide - `references/fastapi-security.md` - FastAPI security guide
Related Skills
python-workflow
Python project workflow guidelines. Triggers: .py, pyproject.toml, uv, pip, pytest, Python. Covers package management, virtual environments, code style, type safety, testing, configuration, CQRS patterns, and Python-specific development tasks.
python-workflow-development
Develop Python scripts and modules for building AI workflows and integrations. Use when coding data ingestion, transformation, analysis, and automation pipelines in pilot projects requiring Python automation.
python-typing
Migrate Python codebases to strict type checking with pyright. Use when user wants to add types, fix type errors, set up strict mode, or run a typing migration. Provides setup automation, fix patterns, discipline enforcement, and optional iteration loop support.
python-testing
Use when implementing new Python code (follow TDD), designing test suites, reviewing test coverage, setting up pytest infrastructure, writing fixtures, mocking dependencies, or performing parametrized testing
python-testing-patterns
Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development. Use when writing Python tests, setting up test suites, or implementing testing best practices.
python-specialist
Deliver production-quality Python solutions with framework-aware patterns and tests.
python-setup-dev-environment
Set up and run a reproducible Python dev environment with uv, ruff, mypy, and VSCode.
python-project
Scaffold and harden Python projects using vpngw-aligned defaults (pyproject/setuptools-scm, src layout, Ruff, pytest, Typer, Pydantic) plus best practices for CLI tools, systemd services, APIs/UI apps, IaC/automation, security/networking, and AI/ML workflows.
python-programmer
Python programmer specialising in functional programming, clean code, documentation, and code quality using ruff and uv.
python-pro
Master Python 3.12+ with modern features, async programming,
python
Python coding conventions and guidelines Triggers on: **/*.py
python-performance-optimization
Profile and optimize Python code using cProfile, memory profilers, and performance best practices. Use when debugging slow Python code, optimizing bottlenecks, or improving application performance.