Skill

auditing-python-security

Audits Python code and dependencies for security vulnerabilities using Bandit, pip-audit, Semgrep, and detect-secrets. Detects SQL injection, command injection, secrets, weak crypto. Use for CI scans, library reviews, secure patterns.

Python

Semgrep

security

Install

npx claudepluginhub wdm0006/python-skills --plugin python-library-distribution

Tool Access

This skill uses the workspace's default tool permissions.

Preview

```bash

Supporting Assets

scripts/security_scan.py

SKILL.md

Similar Skills

applying-brand-guidelines

3 files

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

anthropics-claude-cookbooks

41.6k

creating-financial-models

2 files

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

anthropics-claude-cookbooks

41.6k

analyzing-financial-statements

2 files

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

anthropics-claude-cookbooks

41.6k

Stats

Stars21

Forks5

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Python Security Auditing

Quick Start

# Static analysis
bandit -r src/ -ll                    # High severity only
pip-audit                             # Dependency vulnerabilities
detect-secrets scan > .secrets.baseline  # Secrets detection

Tool Configuration

Bandit (.bandit):

exclude_dirs: [tests/, docs/, .venv/]
skips: [B101]  # assert_used - OK in tests

pip-audit:

pip-audit -r requirements.txt         # Scan requirements
pip-audit --fix                       # Auto-fix vulnerabilities

Common Vulnerabilities

Issue	Bandit ID	Fix
SQL injection	B608	Use parameterized queries
Command injection	B602	subprocess without shell=True
Hardcoded secrets	B105, B106	Environment variables
Weak crypto	B303	Use SHA-256+, bcrypt for passwords
Pickle untrusted data	B301	Use JSON instead
Path traversal	B108	Validate with Path.resolve()

Secure Patterns

# SQL - Parameterized query
conn.execute("SELECT * FROM users WHERE id = ?", (user_id,))

# Commands - No shell
subprocess.run(["cat", filename], check=True)

# Secrets - Environment
API_KEY = os.environ.get("API_KEY")

# Paths - Validate
base = Path("/data").resolve()
file_path = (base / filename).resolve()
if not file_path.is_relative_to(base):
    raise ValueError("Invalid path")

CI Integration

# .github/workflows/security.yml
- run: bandit -r src/ -ll
- run: pip-audit
- run: detect-secrets scan --all-files

For detailed patterns, see:

VULNERABILITIES.md - Full vulnerability examples
CI_SECURITY.md - Complete CI workflow

Audit Checklist

Code:
- [ ] No SQL injection (parameterized queries)
- [ ] No command injection (no shell=True)
- [ ] No hardcoded secrets
- [ ] No weak crypto (MD5/SHA1)
- [ ] Input validation on external data
- [ ] Path traversal prevention

Dependencies:
- [ ] pip-audit clean
- [ ] Minimal dependencies
- [ ] From trusted sources

CI:
- [ ] Security scan on every PR
- [ ] Weekly dependency scan

Learn More

This skill is based on the Security section of the Guide to Developing High-Quality Python Libraries by Will McGinnis. See these posts for deeper coverage: