sast-litelisted

Static security analysis for Python source via AST walking — finds command injection, insecure deserialization, eval/exec, weak crypto, SQL injection, disabled TLS verification, hardcoded secrets and more, each tagged with a CWE. Use when the user asks to "audit this code for vulnerabilities", "run a SAST scan", "security review this Python file", or before merging untrusted code.
NovaCode37/claude-security-skills · ★ 8 · AI & Automation · score 74

Install: claude install-skill NovaCode37/claude-security-skills

# SAST Lite An AST-based static analyzer for Python. Instead of fragile regex matching, it parses each file into an abstract syntax tree and inspects how dangerous APIs are actually called — so `subprocess.run(cmd, shell=True)` is flagged while `subprocess.run(["ls"])` is not. **No third-party dependencies.** ## When to use this skill - "Audit / security-review this Python code." - "Run a SAST scan on the project." - Reviewing a PR or untrusted snippet before running it. - A pre-merge CI gate for security regressions. ## What it detects | Rule | CWE | Severity | |------|-----|----------| | `eval()` / `exec()` on dynamic input | CWE-95 | critical/high | | `os.system` / `subprocess(shell=True)` | CWE-78 | high | | `pickle`/`marshal` deserialization | CWE-502 | high | | `yaml.load` without SafeLoader | CWE-20 | high | | SQL via f-string / concat / `.format` / `%` | CWE-89 | high | | `requests(verify=False)` | CWE-295 | high | | Hardcoded password/secret literal | CWE-798 | high | | Weak hash (md5/sha1) | CWE-327 | medium | | `tempfile.mktemp` | CWE-377 | medium | | `Flask(debug=True)` | CWE-489 | medium | | Jinja2 `autoescape=False` | CWE-79 | medium | | `assert` used for a security check | CWE-617 | medium | ## How to run it ```bash # Scan a directory python skills/sast-lite/analyzer.py src/ # JSON for tooling / CI python skills/sast-lite/analyzer.py . --json # Only show high+ severity python skills/sast-lite/analyzer.py . --min-severity high ``` **Exit codes:** `0` c