Comprehensive Python ecosystem analyzer plugin for AttackMap (Django, Starlette, AIOHTTP, Sanic, Litestar, DRF; SQLAlchemy/asyncpg/motor; passlib/PyJWT/authlib; httpx/aiohttp).
Project description
attackmap-analyzer-python
Comprehensive Python ecosystem analyzer for AttackMap.
This plugin is additive over AttackMap's built-in python-web analyzer. The built-in handles FastAPI / Flask routes via the core scanner; this plugin adds everything else.
- Web frameworks —
- Django routing (
path("users/", ...),re_path(r"^api/...$", ...), legacyurl(...)) gated byurlpatterns =in the file - Django REST Framework routers (
router.register(r'users', UserViewSet)) and@api_view(['GET', 'POST'])decorators - Starlette
Route("/x", endpoint=h, methods=["GET", "POST"])andWebSocketRoute("/ws/...") - AIOHTTP
app.router.add_get/post/...andweb.get/post/...helpers (gated by aiohttp import) - Sanic
@app.get("/x"),@app.post("/x")(gated by sanic import) - Litestar (and legacy Starlite) top-level
@get("/x")/@post(...)decorators (gated by litestar/starlite import) - Flask
app.add_url_rule("/x", view_func=...)(additive — built-in covers@app.route)
- Django routing (
- Databases —
- SQLAlchemy
create_engine("postgresql://...")with dialect-aware kind inference (postgresql / mysql / mariadb / sqlite / oracle / sqlserver) - asyncpg / psycopg2-3 / pymysql / motor.motor_asyncio / pymongo / redis.asyncio / aioredis / sqlmodel / tortoise
- boto3 resources/clients for
dynamodbands3 - Django
DATABASESdict insettings.py—ENGINEvalue parsed for the kind
- SQLAlchemy
- Auth packages —
- passlib
CryptContext,passlib.hash.argon2/bcrypt/scrypt - bcrypt standalone (
bcrypt.hashpw,bcrypt.checkpw) - argon2-cffi (
from argon2 import PasswordHasher) - PyJWT / python-jose (
jwt.encode,jwt.decode,jose.jwt) - authlib (
OAuth(...),OAuth2Session(...)) - fastapi-users (
BearerTransport,JWTStrategy) - flask-jwt-extended (
@jwt_required,create_access_token) - django.contrib.auth (
authenticate,make_password) - casbin (
Enforcer)
- passlib
- HTTP clients (external calls) — httpx sync + async, aiohttp.ClientSession, urllib.request.urlopen
- Secrets —
os.environ.get("X")andos.environ["X"]with secret-shaped names (built-in only coversos.getenv)- pydantic-settings
BaseSettingsfield-name extraction (jwt_secret: str = ...) dotenv_values(...)accessors with secret-shaped keys
- Service hints —
[project] namefrompyproject.toml,[tool.poetry] name,name="..."fromsetup.py,[metadata] namefromsetup.cfg, presence ofmanage.py→framework:django, DjangoINSTALLED_APPSthird-party / local apps
All emissions populate AttackMap's Signal v2 fields (line numbers, evidence snippets, confidence) so downstream insights can cite path/to/module.py:NN.
Install
pip install git+https://github.com/mlaify/attackmap-analyzer-python.git
The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.
Usage with AttackMap
# Auto-discovered when installed:
attackmap analyze /path/to/python/repo
# Or invoke explicitly:
attackmap analyze /path/to/python/repo --module python
Detection
detect() returns true when any of the following are present, ignoring .venv/, venv/, env/, .tox/, __pycache__/, .pytest_cache/, dist/, build/, node_modules/, .git/, .mypy_cache/, .ruff_cache/, and site-packages/:
- A
pyproject.toml,setup.py,setup.cfg,manage.py, orPipfileat the root - Any
.pyfile in the tree
Coverage notes
- Framework-gated extraction: route extractors for AIOHTTP, Sanic, Litestar, and Starlette only fire when the file imports the corresponding framework. This prevents mis-attributing generic
@get(...)/web.get(...)/app.get(...)calls to a framework when they're really custom decorators or method calls. - Django routing requires
urlpatterns =to be in the file. A barepath("/x", ...)in any other context (e.g.,pathlib.Path("/x")is well-behaved, but a project that also hasfrom django.urls import path; path("/x", view)outside a urls.py won't fire — by design). - Django settings extraction: gated by presence of one of
INSTALLED_APPS,DATABASES,MIDDLEWARE, orROOT_URLCONF. Built-in Django apps (django.*) are filtered out of the INSTALLED_APPS service hints to keep signal high. - DRF
@api_view(['GET', 'POST']): emits framework hints (drf_api_view:GET,drf_api_view:POST) rather than routes — the actual path is inurls.py, which is extracted separately. - Tornado is not yet covered — its class-based
RequestHandlerrouting requires per-class method extraction (def get(self): ...,def post(self): ...). - pydantic-settings field extraction matches any class field whose name contains
secret,token,key,password,pass, orpwd. False positives are possible (e.g., a non-secretsigning_keyconfig). Confidence is the standard 0.85.
Coexistence with the built-in python-web analyzer
AttackMap ships with a python-web built-in that handles FastAPI / Flask via the core scanner. When this plugin is installed, both analyzers run on every Python repo. AttackMap's overlay deduplication merges their output so users see a single unified set of findings — no double-counting.
This plugin runs at priority=15 (slightly higher than the built-in's 20), so its richer output lands first.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attackmap_analyzer_python-0.1.0.tar.gz.
File metadata
- Download URL: attackmap_analyzer_python-0.1.0.tar.gz
- Upload date:
- Size: 18.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f9ce682893792f2b3cc39c29bbd074571e05574871c8049f189e64f3cae6276a
|
|
| MD5 |
71567ff9be9b21741e339f73d798556f
|
|
| BLAKE2b-256 |
9625eae68e77fc93d4ef83893de4d7c9ae238787d8e41af8a0d8f537454c0c12
|
Provenance
The following attestation bundles were made for attackmap_analyzer_python-0.1.0.tar.gz:
Publisher:
release.yml on mlaify/attackmap-analyzer-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_python-0.1.0.tar.gz -
Subject digest:
f9ce682893792f2b3cc39c29bbd074571e05574871c8049f189e64f3cae6276a - Sigstore transparency entry: 1954558873
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-python@a8f69359ca5bbfca2f860fb9d037308debbd2be1 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@a8f69359ca5bbfca2f860fb9d037308debbd2be1 -
Trigger Event:
push
-
Statement type:
File details
Details for the file attackmap_analyzer_python-0.1.0-py3-none-any.whl.
File metadata
- Download URL: attackmap_analyzer_python-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9b4988cfb2f2bdbeadcb3acf176ba2cbed42ad7b68f6ddb31d7ef001ccd81ed3
|
|
| MD5 |
e45570165e2cbe6c9e37642fbcd80956
|
|
| BLAKE2b-256 |
0f32adcad9f0cf72143a8b8808c42ba2e9bd55231061bb7ae80e8f659285759c
|
Provenance
The following attestation bundles were made for attackmap_analyzer_python-0.1.0-py3-none-any.whl:
Publisher:
release.yml on mlaify/attackmap-analyzer-python
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_python-0.1.0-py3-none-any.whl -
Subject digest:
9b4988cfb2f2bdbeadcb3acf176ba2cbed42ad7b68f6ddb31d7ef001ccd81ed3 - Sigstore transparency entry: 1954558952
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-python@a8f69359ca5bbfca2f860fb9d037308debbd2be1 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@a8f69359ca5bbfca2f860fb9d037308debbd2be1 -
Trigger Event:
push
-
Statement type: