A simple regex-based static analysis tool to identify potential OWASP Top 10 (2021) issues in Python code.
For educational use only — not a replacement for professional SAST tools.
| Code | Title | Description |
|---|---|---|
| A01 | Broken Access Control | Detects routes/endpoints missing auth decorators (@login_required, Depends, etc.) |
| A02 | Cryptographic Failures | Flags weak hashes (md5, sha1) and hardcoded secrets (passwd, api_key) |
| A03 | Injection | Finds unsafe calls (os.system, eval, subprocess) and raw SQL string usage |
| A05 | Security Misconfiguration | Detects DEBUG=True, weak SECRET_KEYs, or development=True |
| A06 | Vulnerable and Outdated Components | Flags imports of outdated third-party libraries or frameworks; detects version strings or unpatched dependencies that may expose known CVEs. |
| A07 | Auth Failures | Flags insecure JWT decoding (verify=False) and direct session handling |
| A09 | Logging Failures | Detects print/logging of sensitive data (password, token, secret) |
| A10 | SSRF | Flags user-controlled URLs in requests.get, urlopen, httpx.get |
pip install poetry
cd owasp-static-scanner
poetry install
poetry shell
Outputs a console report listing detected patterns by file and line number.
- OWASP Top Ten Project — https://owasp.org/www-project-top-ten/
- Black Duck: What Is the OWASP Top 10 and How Does It Work? — https://www.blackduck.com/glossary/what-is-owasp-top-10.html