codeaudit 1.6.4

A modern Python security source code analyzer (SAST) based on distrust.

Codeaudit

Python Code Audit - A modern Python source code analyzer based on distrust.

Python Code Audit is a tool to find security weaknesses in Python code. This static application security testing (SAST) tool has great features to simplify the necessary security tasks and make it fun and easy.

This tool is designed for anyone who uses or creates Python programs and wants to understand and mitigate potential security risks.

This tool is created for:

• Python Users who want to assess the security risks in the Python code they use.
• Python Developers: Anyone, from professionals to hobbyists, who wants to deliver secure Python code.
• Security-Conscious Users: People seeking a simple, fast way to gain insight into potential security vulnerabilities within Python packages or files.

Creating secure software can be challenging. This tool, with its comprehensive documentation, acts as your helpful security colleague, making it easier to identify and address vulnerabilities.

Features

Python Code Audit has the following features:

• Vulnerability Detection: Identifies security vulnerabilities in Python files, essential for package security research.

• Complexity & Statistics: Reports security-relevant complexity using a fast, lightweight cyclomatic complexity count via Python's AST.

• Module Usage & External Vulnerabilities: Detects used modules and reports known vulnerabilities for used external modules.

• Inline Issue Reporting: Shows potential security issues with line numbers and code snippets.

• External Egress Detection: Identifies embedded API keys and logic that enables communication with remote services, helping uncover hidden data exfiltration paths.

• HTML Reports: All output is saved in simple, static HTML reports viewable in any browser.

[!NOTE] Python Code Audit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.

Installation

pip install -U codeaudit

If you would like to test this security tool without installing it, simply use the WASM version available here.

If you have installed Python Code Audit previously and want to ensure you are using the latest validations and features, simply run this command again. Python Code Audit is frequently updated with new checks.

Usage

After installation you can get an overview of all implemented commands. Just type in your terminal:

codeaudit

This will show all commands:

----------------------------------------------------
 _                    __             _             
|_) \/_|_|_  _ __    /   _  _| _    |_|    _| o _|_
|   /  |_| |(_)| |   \__(_)(_|(/_   | ||_|(_| |  |_
----------------------------------------------------

Python Code Audit - A modern Python security source code analyzer based on distrust.


Commands to evaluate Python source code:
Usage: codeaudit COMMAND <directory|package>  [report.html] 

Depending on the command, you must specify a local directory, a Python file, or a package name hosted on PyPI.org.Reporting: The results are generated as a static HTML report for viewing in a web browser.

Commands:
  overview             Generates an overview report of code complexity and security indicators.
  filescan             Scans Python source code or PyPI packages for security weaknesses.
  modulescan           Generate a report on known vulnerabilities in Python modules and packages.
  checks               Creates an HTML report of all implemented security checks.
  version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].

Use the Python Code Audit documentation (https://codeaudit.nocomplexity.com) to audit and secure your Python programmes. Explore further essential open-source security tools at https://simplifysecurity.nocomplexity.com/

Example

By running the codeaudit filescan command, detailed security information is determined for a Python file based on more than 80 validations implemented.

The codeaudit filescan command shows all potential security issues that are detected in the source file in a HTML-report.

Per line a the in construct that can cause a security risks is shown, along with the relevant code lines where the issue is detected.

To scan a Python package on PyPI.org on possible security issues, do:

codeaudit filescan <package-name> [reportname.html]

=====================================================================
Codeaudit report file created!
Paste the line below directly into your browser bar:
	file:///home/usainbolt/tmp/codeaudit-report.html

=====================================================================

Contributing

All contributions are welcome! Think of corrections on the documentation, code or more and better tests.

Simple Guidelines:

• Questions, Feature Requests, Bug Reports please use on the Github Issue Tracker.

Pull Requests are welcome!

When you contribute to Codeaudit, your contributions are made under the same license as the file you are working on.

[!NOTE] This is an open community driven project. Contributors will be mentioned in the documentation.

We adopt the Collective Code Construction Contract(C4) to streamline collaboration.

License

codeaudit is distributed under the terms of the GPL-3.0-or-later license.