playbooks

home / skills / wdm0006 / python-skills / security-audit

security-audit skill

/skills/security-audit

This skill audits Python libraries for security vulnerabilities using Bandit, pip-audit, Semgrep, and detect-secrets to improve CI scanning and secure coding.

npx playbooks add skill wdm0006/python-skills --skill security-audit

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.8 KB
---
name: auditing-python-security
description: Audits Python libraries for security vulnerabilities using Bandit, pip-audit, Semgrep, and detect-secrets. Identifies SQL injection, command injection, hardcoded credentials, weak cryptography, and insecure deserialization. Use when reviewing library security, setting up security scanning in CI, or implementing secure coding patterns.
---

# Python Security Auditing

## Quick Start

```bash
# Static analysis
bandit -r src/ -ll                    # High severity only
pip-audit                             # Dependency vulnerabilities
detect-secrets scan > .secrets.baseline  # Secrets detection
```

## Tool Configuration

**Bandit (.bandit):**
```yaml
exclude_dirs: [tests/, docs/, .venv/]
skips: [B101]  # assert_used - OK in tests
```

**pip-audit:**
```bash
pip-audit -r requirements.txt         # Scan requirements
pip-audit --fix                       # Auto-fix vulnerabilities
```

## Common Vulnerabilities

| Issue | Bandit ID | Fix |
|-------|-----------|-----|
| SQL injection | B608 | Use parameterized queries |
| Command injection | B602 | subprocess without shell=True |
| Hardcoded secrets | B105, B106 | Environment variables |
| Weak crypto | B303 | Use SHA-256+, bcrypt for passwords |
| Pickle untrusted data | B301 | Use JSON instead |
| Path traversal | B108 | Validate with Path.resolve() |

## Secure Patterns

```python
# SQL - Parameterized query
conn.execute("SELECT * FROM users WHERE id = ?", (user_id,))

# Commands - No shell
subprocess.run(["cat", filename], check=True)

# Secrets - Environment
API_KEY = os.environ.get("API_KEY")

# Paths - Validate
base = Path("/data").resolve()
file_path = (base / filename).resolve()
if not file_path.is_relative_to(base):
    raise ValueError("Invalid path")
```

## CI Integration

```yaml
# .github/workflows/security.yml
- run: bandit -r src/ -ll
- run: pip-audit
- run: detect-secrets scan --all-files
```

For detailed patterns, see:
- **[VULNERABILITIES.md](VULNERABILITIES.md)** - Full vulnerability examples
- **[CI_SECURITY.md](CI_SECURITY.md)** - Complete CI workflow

## Audit Checklist

```
Code:
- [ ] No SQL injection (parameterized queries)
- [ ] No command injection (no shell=True)
- [ ] No hardcoded secrets
- [ ] No weak crypto (MD5/SHA1)
- [ ] Input validation on external data
- [ ] Path traversal prevention

Dependencies:
- [ ] pip-audit clean
- [ ] Minimal dependencies
- [ ] From trusted sources

CI:
- [ ] Security scan on every PR
- [ ] Weekly dependency scan
```

## Learn More

This skill is based on the [Security](https://mcginniscommawill.com/guides/python-library-development/#security-a-matter-of-trust) section of the [Guide to Developing High-Quality Python Libraries](https://mcginniscommawill.com/guides/python-library-development/) by [Will McGinnis](https://mcginniscommawill.com/).

Overview

This skill audits Python libraries for security issues using Bandit, pip-audit, Semgrep, and detect-secrets. It identifies common problems such as SQL injection, command injection, hardcoded credentials, weak cryptography, insecure deserialization, and path traversal. Use it to add automated security checks to reviews and CI pipelines for Python packages.

How this skill works

The skill runs static analysis and dependency scans: Bandit for code-level risks, pip-audit for vulnerable packages, detect-secrets for hardcoded credentials, and optional Semgrep rules for custom patterns. It produces actionable findings (e.g., Bandit IDs) and recommends fixes like parameterized queries, avoiding shell=True, using environment variables for secrets, and stronger cryptography. You can integrate the commands into CI workflows to enforce scans on every PR and scheduled runs.

When to use it

  • Reviewing security of a Python library before release
  • Setting up or enforcing security scanning in CI/CD pipelines
  • Performing pre-merge code reviews to catch injection and credential issues
  • Auditing dependencies for known vulnerabilities
  • Establishing secure coding patterns across a codebase

Best practices

  • Run Bandit with strict policies but exclude test and venv directories to reduce noise
  • Scan dependencies with pip-audit and consider --fix in controlled environments
  • Add detect-secrets baseline to avoid repeated false positives and commit it to repo
  • Write and enforce custom Semgrep rules for project-specific patterns
  • Treat Bandit findings as tickets: triage severity, validate false positives, and apply concrete fixes

Example use cases

  • Automate Bandit, pip-audit, and detect-secrets in a GitHub Actions workflow to block insecure PRs
  • Scan a library before publishing to PyPI to ensure no hardcoded keys or weak hashes
  • Review a codebase for SQL and command injection patterns and convert to parameterized queries and subprocess.run with lists
  • Audit third-party packages with pip-audit to identify and upgrade vulnerable dependencies
  • Create a security checklist for maintainers covering code, dependencies, and CI scan cadence

FAQ

What do I do about false positives from Bandit or detect-secrets?

Triage items individually: confirm findings, add test-only exemptions (e.g., allow asserts in tests), and add a detect-secrets baseline to ignore known non-secrets. Document rationale for suppressions.

How often should CI run dependency scans?

Run dependency scans on every PR and schedule a weekly full audit to catch newly disclosed vulnerabilities in pinned or indirect dependencies.