Vuln is a Python-based security tool designed to help developers ensure their code adheres to ethical and secure coding practices. It provides an easy-to-use, interactive command-line interface (CLI) for scanning Python codebases and dependencies for common security vulnerabilities, potential bugs, and bad practices.
With Vuln, developers can quickly identify issues such as hardcoded credentials, unsafe function use, outdated dependencies, or other security risks that may compromise their application. The tool integrates several popular security and linting tools, making it a one-stop shop for improving Python code quality.
Vuln supports the following tools for code analysis:
- Bandit: Scans Python code for security issues like hardcoded passwords, insecure functions, and potential SQL injection vulnerabilities. Learn more here.
- Checkov: Scans infrastructure-as-code (IaC) files (e.g., Terraform) for misconfigurations that could lead to security issues. Learn more here.
- Safety: Checks project dependencies for known vulnerabilities in third-party libraries. Learn more here.
- Trufflehog: Scans code for secrets (API keys, credentials, etc.) that may have been accidentally committed. Learn more here.
- Flake8 (with dlint): Combines linting and code style enforcement with security-focused linting rules via dlint. Learn more here and here.
- Mypy: Performs static type checking to ensure type safety in Python code. Learn more here.
- Radon: Measures code complexity, helping to identify overly complex code that can be error-prone. Learn more here.
- Pylint: Analyzes Python code for potential errors, bad practices, and coding standard violations. Learn more here.
The tool features:
- Interactive CLI: Choose which tools to run, select paths interactively, and view detailed scan results.
- Error Handling: Clear and informative error messages help you resolve issues quickly.
- Modular Design: Easily extend the tool to include additional scanners or analysis tools.
-
Clone the repository:
git clone https://github.com/yourusername/vuln.git cd vuln
-
Create and activate a virtual environment:
python -m venv venv source venv/bin/activate # On macOS/Linux venv\Scripts\activate # On Windows
-
Install the required dependencies:
pip install -r requirements.txt
To use the interactive CLI, run the following command:
python .\main.py
The CLI will guide you through selecting the desired tests, tools, and paths. You can choose to run individual tools such as Bandit or Safety or run all tests at once.
You will be greeted with a welcome message and an interactive menu. The steps below outline the typical usage:
-
Start Test: Select this option to begin scanning your code.
-
Select Tests: You can either:
- Run All Tests: This will run all available tests (e.g., Bandit, Safety).
- Select Individual Tests: Choose from tools like Bandit, Safety, Checkov, and others.
-
Specify File or Directory: You will be prompted to enter the file path or directory to scan. For example:
../path_to_project_or_file
-
Results Display: The results will be shown in a table format, highlighting any security issues found in the code, along with severity and confidence levels.
-
Next Step: After viewing the results, you can either:
- Run another test.
- Exit the CLI.
When using the Safety tool, Vuln expects to scan a requirements.txt file located in the root of your project. If your project uses a different file or the requirements file is stored elsewhere, you will be prompted to specify the path manually. For example: ..\custom\path\to\requiements.txt
The results are JSON-parsed, making it easy to further process or integrate into other tools if necessary.
Unit tests are provided to verify the functionality of the Bandit module. You can run the tests using:
python -m unittest tests.test_bandit_runner
Otherwise you can run this command:
python -m unittest discover -s tests
This command will run all unit tests and ensure that the module works as expected.
To maintain a clean and organized codebase, we use the following Git branching strategy:
- main: Contains production-ready code.
- develop: Integration branch for development features.
- feature/bandit-module: Dedicated branch for the Bandit security scanner module.
All new features should be developed in their own feature branches and merged into develop
after review and testing.
Contributions are welcome! Please follow these steps:
- Fork the repository.
- Create a feature branch:
Copy code git checkout -b feature/your-feature
- Commit your changes:
Copy code git commit -m 'Add your feature'
- Push the branch:
Copy code git push origin feature/your-feature
- Open a pull request to the
develop
branch.
This project is licensed under the MIT License. See the LICENSE file for more information.