Python SAST

xgrep parses .py and .pyi into tree-sitter ASTs and ships roughly 90 rules, 20 of them taint-based, with dedicated coverage for Django and Flask.

xgrep scan --include '*.py' .

What xgrep detects

Injection — sql-injection, sql-injection-format, django-sql-injection, command-injection, flask-command-injection, code-injection, ldap-injection, nosql-injection, xpath-injection, header-injection, cookie-injection, log-injection, template-injection.

Cross-site scripting — flask-xss, jinja2-no-autoescape.

Deserialization & XML — unsafe-deserialization, xml-entity-expansion.

SSRF, redirects & path traversal — ssrf-request, open-redirect, path-traversal, overly-permissive-file.

Auth, cookies & CSRF — csrf-disabled, cookie-no-httponly / -samesite, insecure-cookie, jwt-algorithm-confusion, pam-authorization, debug-enabled.

Crypto & TLS — weak-hash, weak-key-size, weak-password-hash, weak-random, disabled-cert-validation, insecure-protocol, cleartext-storage / -transmission.

Availability (DoS) — regex-dos, regex-dos-static, incomplete-hostname-regexp.

Data exposure — hardcoded-credentials, sensitive-data-logging, stacktrace-exposure, insecure-temp-file.

Correctness — large class-*, expressions-*, functions-*, statements-*, and imports-* families catch mutable default args, unreachable code, no-effect statements, unused imports, and undefined names (run with --category correctness).

Taint analysis

20 rules use taint mode: Flask/Django request data (request.args, request.form, route parameters) must actually reach a sink (subprocess, eval, the ORM, a redirect) for the rule to fire — the basis for the command-injection example in Getting Started.

Frameworks

• Flask — request.* sources into command, template, and redirect sinks.
• Django — ORM SQL injection, csrf-disabled, debug-enabled, and view-layer XSS.

See also Secrets scanning and the CLI reference.