Supported Checks
- PW100 Matching inputs, secrets or tokens using the == operator is vulnerable to timing attacks. Use compare_digest() instead.
- PW101 Hardcoded passwords, secrets or keys detected
- HL100 MD4, MD5, SHA, and SHA1 hashing algorithms should not be used for obfuscating or protecting data
- HL101 MD5, SHA-1, RIPEMD-160, Whirlpool and the SHA-256 / SHA-512 hash algorithms all vulnerable to length-extension attacks and should not be used for obfuscating or protecting data
- YML100 Use of
yaml.load() can cause arbitrary code execution. Suggests and has a “Quick Fix” to replace with safe_load() using existing arguments
- FLK100 Use of
debug=True when instantiating flask applications
- RQ100 Use of
verify=False when making HTTP requests using the requests package
- RQ101 Use of
verify=False when making HTTP requests using the httpx package
- PR100 Use of
shell=True when running subprocess.call from the standard library
- TMP100 Use of
tempfile.mktemp
- DJG100 Setting
DEBUG = True in a settings.py file (assumed Django project settings)
- JJ100 Use of Jinja2 without autoescaped input
- EX100 Use of builtin
exec() function
- MK100 Use of Mako template without escaped input
