Static Application Security Testing (SAST): Simplicity Matters
Simple, Local, FOSS: Reclaiming Python Security from the SaaS Giants
I have worked on delivering large-scale IT systems for more than 25 years. I spent my early years as an engineer, and for the last 20 years, I have worked in various architecture roles, steering development and solving complex issues. But some things never change:Cybersecurity remains a difficult and complex field. It requires expertise across many different areas, such as business and computer sciences.
Security risks are challenging to manage and control; despite the costs and resources invested, major disasters due to security breaches are always a possibility.
Python code plays a central role in modern computing. It is deeply integrated into the operations of millions of companies and supports a vast number of software systems and applications globally.
In today’s digital world, cybersecurity remains a critical concern. This applies equally to using or creating Python software: preventing vulnerabilities starts with a solid architecture, but even well-written code, including AI-generated code, is not secure by default.
Validating Python code for potential vulnerabilities is therefore essential, whether you are writing your own programs or relying on code developed by others. A simple and highly effective way to gain quick insight into the security aspects of a Python program is to run a SAST scan (Static Application Security Testing) on the Python code before using it.
Evaluating the security aspects of software is expensive; it requires time and costly resources with specialist knowledge. In my opinion, a simple SAST scan tool for Python should be used by many more people who evaluate, try out, or use Python software.
Doing a SAST scan on a Python package should not take more than a few seconds and should provide immediate insights before one decides whether or not to use a certain software package.
However, the availability of high-quality, maintained FOSS SAST tools for Python is limited. Good security means no “security by obscurity”. My minimal requirements for any effective FOSS security tool are:
FOSS-licensed: The product must be released under a valid Free and Open Source Software (FOSS) licence, ideally one approved by the Open Source Initiative (OSI).
Local-first deployment: The tool should run locally or on a server within your own security perimeter. SaaS-only solutions, where you have no control over the execution environment or the handling of your source code, should be avoided.
Actively maintained: The software must be actively maintained, with responsible vulnerability handling and visible issue management.
Public version control repository: The source code must be publicly available in a version-controlled repository, with a URL that can be accessed directly to view the code.
Naturally, I would like to see all FOSS security projects carry an OpenSSF Best Practices badge to showcase that all basic requirements for security projects are met. However, the popularity of this project among FOSS security tool developers remains low.
Most commercial SAST tools available for Python are bloated with functionality and, in practice, are not easy for occasional users to navigate. Python is a specialist programming language with several unique constructs.
SAST tools that claim to support a vast range of languages often suffer from significant limitations. The danger is that these shortcomings are hidden, providing a false sense of security. Because each language has its own unique Abstract Syntax Tree (AST) used to scan for vulnerabilities, an “all-in-one” solution rarely performs as well as a dedicated one; a “holy grail” tool simply does not exist.
Some commercial SAST scanners aim to appear open source but require you to create your own complex validation rules. These rules must be authored in YAML and often cannot be shared or published publicly for the benefit of the community. There are even paid courses dedicated solely to writing rules for these scanners. In these products, the basic rules for Python SAST scanning are often extremely limited, meaning the tool’s effectiveness depends entirely on your own ability to draft complex rules. I find this approach really insane and a criminal practice.
Why not abandon my “local-first” and FOSS principles for an easier AI-driven Python SAST scan? The truth is AI security tools for Python security testing are just far from good enough. In the best case scenario, you’ll only be disappointed. But the risk of a false sense of security is enormous.
This is why I created a new, specific Python SAST scanner: a tool that can be relied upon and is simple to use. Too often, over-complicated security tools end up undermining security rather than improving it. The goal should be to do the fundamentals well—ensuring strong foundations rather than adding unnecessary complexity. The true power of my scanner, Python Code Audit, lies in its focused scope.
I encourage you to read more about the Project Philosophy and my Design Approach. More importantly, I invite you to try this new scanner on the various Python packages you evaluate and use.
You can install Python Code Audit via pip:
pip install -U codeauditAnd then perform a SAST scan by running the command:
codeaudit filescan <package-name|directory|file> [reportname.html]You can perform a SAST scan directly on a Python package available on PyPI.org without downloading it first. This tool is safe to use: no code is executed, as the Python code is analysed safely without being run.