AgentSkillsCN

auditing-python-security

利用Bandit、pip-audit、Semgrep以及detect-secrets等工具,对Python库的安全漏洞进行深度审计。识别SQL注入、命令注入、硬编码凭据、弱加密算法,以及不安全的反序列化风险。适用于库的安全性审查、CI中安全扫描的配置,或安全编码规范的落地实施。

SKILL.md
--- frontmatter
name: auditing-python-security
description: Audits Python libraries for security vulnerabilities using Bandit, pip-audit, Semgrep, and detect-secrets. Identifies SQL injection, command injection, hardcoded credentials, weak cryptography, and insecure deserialization. Use when reviewing library security, setting up security scanning in CI, or implementing secure coding patterns.

Python Security Auditing

Quick Start

bash
# Static analysis
bandit -r src/ -ll                    # High severity only
pip-audit                             # Dependency vulnerabilities
detect-secrets scan > .secrets.baseline  # Secrets detection

Tool Configuration

Bandit (.bandit):

yaml
exclude_dirs: [tests/, docs/, .venv/]
skips: [B101]  # assert_used - OK in tests

pip-audit:

bash
pip-audit -r requirements.txt         # Scan requirements
pip-audit --fix                       # Auto-fix vulnerabilities

Common Vulnerabilities

IssueBandit IDFix
SQL injectionB608Use parameterized queries
Command injectionB602subprocess without shell=True
Hardcoded secretsB105, B106Environment variables
Weak cryptoB303Use SHA-256+, bcrypt for passwords
Pickle untrusted dataB301Use JSON instead
Path traversalB108Validate with Path.resolve()

Secure Patterns

python
# SQL - Parameterized query
conn.execute("SELECT * FROM users WHERE id = ?", (user_id,))

# Commands - No shell
subprocess.run(["cat", filename], check=True)

# Secrets - Environment
API_KEY = os.environ.get("API_KEY")

# Paths - Validate
base = Path("/data").resolve()
file_path = (base / filename).resolve()
if not file_path.is_relative_to(base):
    raise ValueError("Invalid path")

CI Integration

yaml
# .github/workflows/security.yml
- run: bandit -r src/ -ll
- run: pip-audit
- run: detect-secrets scan --all-files

For detailed patterns, see:

Audit Checklist

code
Code:
- [ ] No SQL injection (parameterized queries)
- [ ] No command injection (no shell=True)
- [ ] No hardcoded secrets
- [ ] No weak crypto (MD5/SHA1)
- [ ] Input validation on external data
- [ ] Path traversal prevention

Dependencies:
- [ ] pip-audit clean
- [ ] Minimal dependencies
- [ ] From trusted sources

CI:
- [ ] Security scan on every PR
- [ ] Weekly dependency scan