Skip to content

BarakMozesPro/secureflow-scanner

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.github/workflows
.github/workflows
 
 
secureflow_scanner
secureflow_scanner
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup.cfg
setup.cfg
 
 
setup.py
setup.py
 
 

Repository files navigation

SecureFlow Scanner — Python Static Application Security Testing (SAST) Engine

Python Version License Build

A Python SAST engine that performs AST-based static analysis to detect security vulnerabilities in Python source code. Supports 31 security check plugins covering OWASP Top 10 vulnerabilities.

Architecture

flowchart LR
    A[Python Source Files] --> B[AST Parser]
    B --> C[Node Visitor]
    C --> D[Security Plugins]
    D --> E[Issue Collector]
    E --> F[Formatter]
    F --> G[SARIF / JSON / HTML Report]
Loading

Features

  • AST-based code analysis with full Python syntax support
  • 31 security check plugins covering OWASP Top 10 vulnerabilities
  • Blacklist-based dangerous API and import detection
  • Multiple output formats: SARIF, JSON, HTML, CSV, XML, YAML, plain text
  • Baseline comparison for CI/CD noise reduction
  • Severity and confidence scoring for issue prioritization
  • Plugin architecture via stevedore for extensibility
  • Taint analysis for shell injection detection

Quick Start

pip install secureflow-scanner
secureflow-scanner -r /path/to/your/code

Usage

Basic scan

# Scan a directory recursively
secureflow-scanner -r myproject/

# Scan with minimum severity level (LOW, MEDIUM, HIGH)
secureflow-scanner -r myproject/ -l MEDIUM

# Output as JSON
secureflow-scanner -r myproject/ -f json -o results.json

# Output as SARIF (for GitHub Code Scanning)
secureflow-scanner -r myproject/ -f sarif -o results.sarif

CI/CD Integration

# Create a baseline to reduce false positives
secureflow-scanner-baseline -r myproject/ -f json -o baseline.json

# Compare against baseline
secureflow-scanner -r myproject/ -b baseline.json

Python API

from secureflow_scanner.core.manager import BanditManager
from secureflow_scanner.core.config import BanditConfig
from secureflow_scanner.core.issues import IssueSeverity

config = BanditConfig()
manager = BanditManager(config, agg_type='file')
manager.discover_files(['/path/to/code'], recursive=True)
manager.run_tests()

# Print results
for issue in manager.get_issue_list():
    print(f"{issue.severity}: {issue.text} at {issue.fname}:{issue.lineno}")

Project Structure

secureflow_scanner/
├── __init__.py
├── cli/
│   ├── main.py              # CLI entry point (argparse)
│   ├── baseline.py          # Baseline comparison tool
│   └── config_generator.py  # Configuration file generator
├── core/
│   ├── manager.py           # Scan orchestrator
│   ├── node_visitor.py      # AST traversal engine
│   ├── context.py           # Security context extraction
│   ├── tester.py            # Plugin test runner
│   ├── issue.py             # Issue model with severity/confidence
│   ├── config.py            # Configuration management
│   ├── extension_loader.py  # Plugin discovery via stevedore
│   ├── metrics.py           # Scan metrics collection
│   └── utils.py             # AST utilities
├── plugins/                 # 31 security check plugins
│   ├── injection_shell.py   # Shell injection detection
│   ├── injection_sql.py     # SQL injection detection
│   ├── django_xss.py        # Django XSS checks
│   ├── insecure_ssl_tls.py  # SSL/TLS misconfiguration
│   ├── general_hardcoded_password.py  # Hardcoded credentials
│   └── ...                  # 26 more plugins
├── blacklists/              # Dangerous API blacklists
│   ├── calls.py             # Dangerous function calls
│   └── imports.py           # Dangerous module imports
└── formatters/              # Output format handlers
    ├── sarif.py             # SARIF format (GitHub integration)
    ├── json.py              # JSON format
    ├── html.py              # HTML report
    ├── csv.py               # CSV format
    └── ...                  # More formatters

Security Checks Covered

Category Examples
Injection Shell injection, SQL injection, paramiko
Cryptography Weak SSL/TLS, insecure hashlib, weak keys
Hardcoded Secrets Passwords, bind-all interfaces, tmp dirs
Web Frameworks Django XSS, Jinja2 autoescape, Mako templates
Dangerous APIs exec(), YAML load, tarfile unsafe members
Network SNMP insecure version, SSH host key verification
Supply Chain HuggingFace unsafe download, PyTorch unsafe load

What I Learned

Building this project deepened my understanding of:

  • AST-based taint analysis: How to traverse Python's Abstract Syntax Tree to track data flow from sources to sinks
  • Plugin architecture patterns: Using stevedore for dynamic plugin discovery and registration
  • SARIF format: Static Analysis Results Interchange Format for integrating security tools with GitHub Code Scanning
  • Severity scoring models: How to combine severity and confidence signals for actionable security findings

Credit

Built upon Bandit by PyCQA, licensed under the Apache 2.0 License.

Bandit is a tool designed to find common security issues in Python code. SecureFlow Scanner extends and repackages this work for integration into modern DevSecOps pipelines.

License

Apache License 2.0 — See the LICENSE file for details.

About

Python SAST engine with 31 security plugins and AST-based analysis

Topics

static-analysis ast vulnerability-detection python-security devsecops code-scanning sast

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages