Python
Vulkro does full source analysis for Python. It extracts endpoints across the major web frameworks, tracks request data through call chains to dangerous sinks, and matches PyPI dependencies against the local CVE bundle. Python is in the Free tier (an account and sign-in are still required to scan; see Accounts).
Project detection
Vulkro recognises Python from its source files and dependency manifests. It
resolves versions from poetry.lock and Pipfile.lock where present.
vulkro scan .
vulkro discover .
Frameworks
Endpoint extraction understands:
- FastAPI
- Flask
- Django
- Django REST Framework (DRF)
- Django Ninja
- Starlette
- aiohttp
- Tornado
- Litestar
Route prefixes are correlated so recorded paths match what the server serves:
FastAPI include_router(prefix=...), Flask Blueprint(url_prefix=...), and
Django urls.py include trees are all resolved into full paths.
Cross-cutting surfaces also covered: GraphQL (Strawberry, graphene), gRPC, and Starlette WebSockets.
Access model
Endpoints carry an AuthTier, scopes, and tenant-scoping, shared with the
other analysed languages, and feed the OWASP API Top 10 checks (BOLA,
broken auth, resource consumption, inventory). See
OWASP API Top 10.
Taint analysis
Vulkro runs an interprocedural taint pass for Python. Sources include
flask.request.*, Django request.GET / request.POST, FastAPI
request.json() / request.form() / request.query_params, and
route-handler parameters. Sinks include cursor.execute / engine.execute /
session.execute without parameter binding, subprocess.run(shell=True),
eval, pickle.loads, yaml.load(..., Loader=yaml.Loader),
requests.get(...) (SSRF), and redirect(...) (open redirect). Findings carry
the source-to-sink hop chain.
Loop-carried taint is off by default; enable the worklist engine with
VULKRO_TAINT_CFG=1. See Taint analysis for the
full model and limits.
Dependencies
PyPI dependencies from requirements*.txt, Pipfile, and pyproject.toml
(resolved via poetry.lock / Pipfile.lock) are matched against the local
CVE bundle. Python is covered by the PyPI reachability annotation: CVE findings
for a curated set of packages are tagged [reachable] or [unreachable] by
call-shape. See Dependencies and CVEs.
Useful commands
vulkro scan .
vulkro discover . --format json
vulkro dataflow .
vulkro explain PY-TAINT-SQL-001