Skip to main content

Python

Vulkro does full source analysis for Python. It extracts endpoints across the major web frameworks, tracks request data through call chains to dangerous sinks, and matches PyPI dependencies against the local CVE bundle. Python is in the Free tier (an account and sign-in are still required to scan; see Accounts).

Project detection

Vulkro recognises Python from its source files and dependency manifests. It resolves versions from poetry.lock and Pipfile.lock where present.

vulkro scan .
vulkro discover .

Frameworks

Endpoint extraction understands:

  • FastAPI
  • Flask
  • Django
  • Django REST Framework (DRF)
  • Django Ninja
  • Starlette
  • aiohttp
  • Tornado
  • Litestar

Route prefixes are correlated so recorded paths match what the server serves: FastAPI include_router(prefix=...), Flask Blueprint(url_prefix=...), and Django urls.py include trees are all resolved into full paths.

Cross-cutting surfaces also covered: GraphQL (Strawberry, graphene), gRPC, and Starlette WebSockets.

Access model

Endpoints carry an AuthTier, scopes, and tenant-scoping, shared with the other analysed languages, and feed the OWASP API Top 10 checks (BOLA, broken auth, resource consumption, inventory). See OWASP API Top 10.

Taint analysis

Vulkro runs an interprocedural taint pass for Python. Sources include flask.request.*, Django request.GET / request.POST, FastAPI request.json() / request.form() / request.query_params, and route-handler parameters. Sinks include cursor.execute / engine.execute / session.execute without parameter binding, subprocess.run(shell=True), eval, pickle.loads, yaml.load(..., Loader=yaml.Loader), requests.get(...) (SSRF), and redirect(...) (open redirect). Findings carry the source-to-sink hop chain.

Loop-carried taint is off by default; enable the worklist engine with VULKRO_TAINT_CFG=1. See Taint analysis for the full model and limits.

Dependencies

PyPI dependencies from requirements*.txt, Pipfile, and pyproject.toml (resolved via poetry.lock / Pipfile.lock) are matched against the local CVE bundle. Python is covered by the PyPI reachability annotation: CVE findings for a curated set of packages are tagged [reachable] or [unreachable] by call-shape. See Dependencies and CVEs.

Useful commands

vulkro scan .
vulkro discover . --format json
vulkro dataflow .
vulkro explain PY-TAINT-SQL-001