Pylint Secure Coding Standard Plugin

pylint plugin that enforces some secure coding standards.


pip install pylint-secure-coding-standard

Pylint codes

Code Description
R8000 Use os.path.realpath() instead of os.path.abspath() and os.path.relpath()
E8001 Avoid using exec() and eval()
E8002 Avoid using os.sytem()
E8003 Avoid using shell=True in subprocess functions or using functions that internally set this
R8004 Avoid using tempfile.mktemp(), prefer tempfile.mkstemp() instead
E8005 Avoid using unsafe PyYAML loading functions
E8006 Avoid using jsonpickle.decode()
C8007 Avoid debug statement in production code
C8008 Avoid assert statements in production code
R8009 Use of builtin open for writing is discouraged in favor of to allow for setting file permissions
E8010 Avoid using os.popen() as it internally uses subprocess.Popen with shell=True
E8011 Use of shlex.quote() should be avoided on non-POSIX platforms
W8012 Avoid using with unsafe permissions permissions

Plugin configuration options

File permissions when using

Since version 1.3.0 you can control whether this plugin favors over the builtin open function when opening files.

    os-open-mode = '0'            # check disabled
    os-open-mode = '0o000'        # check disabled
    os-open-mode = '493'          # all modes from 0 to 0o755
    os-open-mode = '0o755'        # all modes from 0 to 0o755
    os-open-mode = '0o755,'       # only 0o755
    os-open-mode = '0o644,0o755'  # only 0o644 and 0o755

You can also specify this option directly on the command line:

python3 -m pylint --load-plugins=pylint_secure_coding_standard --os-open-mode='0o755'

Pre-commit hook

See pre-commit for instructions

Sample .pre-commit-config.yaml:

  - repo:
    rev: pylint-2.6.0
    -   id: pylint
        args: [--load-plugins=pylint_secure_coding_standard]
        additional_dependencies: ['pylint-secure-coding-standard']