Python Security Scan Skill This skill enables comprehensive security scanning of Python projects based on OWASP guidelines, Python security best practices, and framework-specific vulnerabilities. When to Use This Skill Security audits of Python applications Code review for security vulnerabilities Pre-deployment security checks Dependency vulnerability assessment Detecting hardcoded secrets and credentials Framework-specific security reviews (Flask, Django, FastAPI) Supported Frameworks This skill automatically detects and applies framework-specific checks for: Flask - Template injection, session security, CORS, extensions Django - ORM injection, CSRF, template security, settings FastAPI - Dependency injection, Pydantic validation, OAuth2 General Python - Core language vulnerabilities applicable to all projects Scan Types 1. Quick Scan Fast scan focusing on critical vulnerabilities: Hardcoded secrets, API keys, and credentials Dangerous function usage ( eval , exec , pickle.loads ) Command injection via subprocess , os.system SQL injection patterns Known vulnerable dependencies 2. Full Scan Comprehensive security assessment covering: All OWASP Top 10:2025 categories Python-specific vulnerabilities Framework-specific security issues Injection vulnerabilities (SQL, NoSQL, Command, LDAP) Insecure deserialization Authentication and authorization flaws Cryptographic failures Security misconfigurations Dependency audit (CVE check) Environment variable and secrets exposure 3. Targeted Scan Focus on specific vulnerability categories: --injection - SQL/NoSQL/Command/LDAP injection --deserialization - Pickle, YAML, JSON deserialization --auth - Authentication/authorization issues --secrets - Hardcoded credentials --deps - Dependency vulnerabilities --crypto - Cryptographic issues --flask - Flask-specific vulnerabilities --django - Django-specific vulnerabilities --fastapi - FastAPI-specific vulnerabilities Scan Procedure Step 1: Project Discovery Identify project type and framework: Check for requirements.txt , Pipfile , pyproject.toml , setup.py Detect Flask ( from flask import ), Django ( django.conf ), FastAPI ( from fastapi import ) Locate configuration files Map the codebase structure Step 2: Framework Detection

Detection patterns

Flask : "from flask import" , "Flask(name)" Django : "django.conf.settings" , "INSTALLED_APPS" , "manage.py" FastAPI : "from fastapi import" , "FastAPI()" Step 3: Dependency Audit Run the dependency audit script: ./scripts/dependency-audit.sh /path/to/project Or manually: pip-audit

or

safety check Step 4: Secret Scanning Scan for hardcoded secrets: python scripts/secret-scanner.py /path/to/project Important: Environment File Handling By default, real .env files are SKIPPED ( .env , .env.local , .env.production , etc.) These files contain actual secrets and should not be in version control Only .env.example and .env.template files are analyzed for documentation quality Use --include-env-files flag only if explicitly requested by user The scanner will: Scan source code for hardcoded secrets Analyze .env.example templates to check: Which sensitive variables are documented Whether variables have descriptions (comments) If placeholder values look like real secrets Suggestions for missing common variables (SECRET_KEY, DATABASE_URL, etc.) Step 5: Pattern Analysis For each file in the codebase, check against patterns in: references/python-vulnerabilities.md - Core Python issues references/injection-patterns.md - Injection flaws references/deserialization.md - Insecure deserialization references/flask-security.md - Flask vulnerabilities references/django-security.md - Django vulnerabilities references/fastapi-security.md - FastAPI vulnerabilities Step 6: Report Generation Generate a security report using: assets/report-template.md - Report structure Severity Classification Severity Description Action Required CRITICAL Exploitable vulnerability with severe impact Immediate fix required HIGH Significant security risk Fix before deployment MEDIUM Potential security issue Fix in next release LOW Minor security concern Consider fixing INFO Security best practice suggestion Optional improvement Key Files to Scan Always Check /*.py - All Python source files requirements.txt , Pipfile , pyproject.toml - Dependencies setup.py , setup.cfg - Package configuration config.py , settings.py - Configuration files /secrets , /credentials - Obvious secret locations Environment Files .env.example , .env.template - SCAN for template analysis .env , .env.local , .env.production - SKIP by default (contain real secrets) Note: Real .env files should never be committed to version control. The scanner analyzes .env.example templates to ensure proper documentation of required variables. High Priority Locations app.py , main.py , wsgi.py - Entry points /views.py , /routes.py - Request handlers /api//.py - API endpoints /auth , /login* - Authentication code /models.py - Database models /serializers.py - Data serialization /middleware.py - Middleware code Framework-Specific Flask: app.py , init.py - Application factory /blueprints/ - Blueprint routes templates/ - Jinja2 templates Django: settings.py , /settings/.py - Django settings urls.py - URL configuration /views.py - View functions/classes /forms.py - Form definitions templates/ - Django templates FastAPI: main.py - Application entry /routers/ - API routers /dependencies.py - Dependency injection */schemas.py - Pydantic models Output Format Findings should be reported as: [SEVERITY] Category: Description File: path/to/file.py:lineNumber Code: Risk: Fix: Integration with CI/CD This skill can generate output compatible with: GitHub Security Advisories SARIF format for GitHub Code Scanning JSON for custom integrations JUnit XML for CI pipelines References Load additional context as needed: references/owasp-top-10.md - OWASP Top 10:2025 quick reference references/python-vulnerabilities.md - Python-specific vulnerabilities references/injection-patterns.md - Injection vulnerability patterns references/deserialization.md - Insecure deserialization patterns references/flask-security.md - Flask security guide references/django-security.md - Django security guide references/fastapi-security.md - FastAPI security guide