List of Checks

General and Best Practice

• AST100 : Use of `assert` statement in non-test file
• EX100 : Use of builtin `exec()` function for non-string literal
• OS100 : Calls to `os.chmod()` with dangerous POSIX permissions
• PIC100 : Loading serialized data with the pickle module can expose arbitrary code execution using the __reduce__ method.
• TMP100 : Use of insecure `tempfile.mktemp`
• TMP101 : Use of hardcoded temporary file path
• TRY100 : Use of a `try` ... `except` block where the except block does not contain anything other than comments and a `pass` statement
• TRY101 : Use of a `try` ... `except` block where the except block does not contain anything other than comments and a `continue` statement

SQL

The SQL100 check will cover most SQL injection techniques using Python’s multiple string formatting methods.

• SQL100 : Possible SQL injection with Python string formatting
• SQL200 : Possible SQL injection with SQLalchemy

Shell

• PR100 : Use of `shell=True` when running `subprocess.call` from the standard library
• PAR101 : Possible shell injection on remote host with paramiko library
• SH100 : Possible shell injection on local host with standard library functions
• SH101 : Potentially risky call to spawned process

Passwords and Security

• PW100 : Matching inputs, secrets or tokens using the == operator is vulnerable to timing attacks. Use compare_digest() instead.
• PW101 : Hardcoded passwords, secrets or keys detected

Encryption and Hashing

• HL100 : MD4, MD5, SHA, and SHA1 hashing algorithms should not be used for obfuscating or protecting data
• HL101 : MD5, SHA-1, RIPEMD-160, Whirlpool and the SHA-256 / SHA-512 hash algorithms all vulnerable to length-extension attacks and should not be used for obfuscating or protecting data

Django Web Framework

• DJG100 : Setting `DEBUG = True` in a `settings.py` file (assumed Django project settings)
• DJG101 : Using quoted, parametrized literal will bypass Django SQL Injection protection
• DJG102 : Using safe strings bypasses the Django XSS protection
• DJG103 : Using quoted, parametrized literal in the query set `extra()` function will bypass Django SQL Injection protection
• DJG200 : Django middleware is missing `CsrfViewMiddleware`, which blocks cross-site request forgery
• DJG201 : Django middleware is missing `XFrameOptionsMiddleware`, which blocks clickjacking.
• DJG300 : Django PermissionRequiredMixin missing properties
• DJG301 : Django PermissionRequiredMixin inherited incorrectly

Deserialization

• YML100 (`pyyaml`) : Use of `yaml.load()` can cause arbitrary code execution. Suggests and has a "Quick Fix" to replace with `safe_load()` using existing arguments

Flask Web Framework

• FLK100 : Use of `debug=True` when instantiating flask applications

SSL and Networking

• NET100 : Socket binding to unspecified IPv4 or IPv6 address
• PAR100 (`paramiko`) : Host key inspection bypass using the `paramiko` SSH library
• RQ100 (`requests`) : Use of `verify=False` when making HTTP requests using the `requests` package
• RQ101 (`httpx`) : Use of `verify=False` when making HTTP requests using the `httpx` package
• SSL100 : Use of insecure defaults in `ssl` module
• SSL101 : Use of insecure SSL versions in `ssl` module

Templating Engines

• JJ100 (`jinja2`) : Use of Jinja2 without autoescaped input
• MK100 (`mako`) : Use of Mako template without escaped input

XML

• XML100 : Use of standard library XML modules that are vulnerable to entity expansion DoS
• XML200 : Use of `allow_dotted_names` with XML RPC Simple Server allows remote code execution