codeaudit 1.6.6__tar.gz → 1.7.0__tar.gz

{codeaudit-1.6.6 → codeaudit-1.7.0}/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Change Log
 
+## Version 1.7.0:
+
+**Added**
+
+* **CI Option:** Added a new Continuous Integration (CI) option. (See [issue #24](https://github.com/nocomplexity/codeaudit/issues/24))
+
+**Documentation**
+
+* **Fixes & Updates:** Minor documentation fixes and content updates.
+
+
+
 ## Version 1.6.6:
 
 **Added:**

{codeaudit-1.6.6 → codeaudit-1.7.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.6.6
+Version: 1.7.0
 Summary: A modern Python security source code analyzer (SAST) based on distrust.
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues

{codeaudit-1.6.6 → codeaudit-1.7.0}/docs/_toc.yml

@@ -10,7 +10,11 @@ parts:
   - file: whatissast
   - file: whysast
   - url: https://securitytesting.nocomplexity.com/ 
-    title: Mastering Security Testing for Python
+    title: Security Testing for Python
+  - url: http://securitybydesign.nocomplexity.com/
+    title: Security By Design
+  - url: https://nocomplexity.github.io/pythonsecurity/
+    title: Python Security Handbook
   
   
 
@@ -27,13 +31,12 @@ parts:
     sections:
     - file: data_egress_implementation
   - file: issues
-  - file: markingissues
-  - file: securecoding
+  - file: markingissues  
   - file: complexitycheck
   - file: warnings
   - file: handling_errors
-  - file: implementedvalidations
-  - file: validatetips
+  - file: cimode
+  - file: implementedvalidations  
   - file: checksinformation
     sections:
     - file: checks/assert_check

codeaudit-1.7.0/docs/cimode.md

@@ -0,0 +1,276 @@
+# CI Integration
+
+Python Code Audit is a fast, local-first SAST tool for analysing Python code and detecting potential security weaknesses. While it is particularly useful for auditing third-party code, it should also be run regularly on your own projects to ensure continuous security validation.
+
+Python Code Audit integrates easily into CI/CD pipelines and standard code quality workflows. A CI job can be configured in just a few steps, supporting our goal of simple, effective security tooling. This allows you to focus on reviewing findings and applying fixes based on [Security by Design principles](https://nocomplexity.github.io/securitybydesign/securityprinciples/).
+
+If you have improvements or CI configuration tips, contributions via pull requests to this documentation are welcome.
+
+:::{note}
+[Data Exfiltration Detection functionality](data_exfiltration_detection) is not yet available in CI pipelines.
+:::
+
+
+:::{admonition} By default, CI scan mode uses the same analysis engine as the CLI version
+:class: important
+
+So Keep in mind:
+
+* [Some directories are excluded from SAST scanning](excluded_directories)
+* Findings marked with [markissues-label](markissues-label) are ignored by default in CI mode
+:::
+
+
+## CI Mode Command
+
+CI mode is enabled using the following CLI command:
+
+```bash
+codeaudit cimode [file|directory] [--output text|html|json] [--nosec True|False]
+```
+
+### Default behaviour
+
+* Output format: `text`
+* `nosec=True` (ignores lines marked with `# nosec`)
+
+
+
+### Quick Test Run
+
+You can test CI mode locally before integrating it into your pipeline:
+
+```bash
+codeaudit cimode .
+```
+
+Here, `.` represents the current working directory.
+
+
+### Command Options
+
+
+| Option         | Description                                                |
+| -------------- | ---------------------------------------------------------- |
+| `-o, --output` | Output format: `text`, `html`, or `json` (default: `text`) |
+| `-n, --nosec`  | Ignore findings marked with `# nosec` (default: `True`)    |
+
+
+
+
+## GitLab CI Integration
+
+
+Integrating Python Code Audit with [GitLab.com](https://gitlab.com) is straightforward and can be completed in just a few minutes.
+
+For GitLab CI jobs, it is recommended to always save **artifacts**, even when the job fails. This ensures that scan results are available for review in all cases. It is especially useful when using the HTML report format, as it allows you to quickly view findings directly in the browser via the CI artifacts interface.
+
+If needed, you can also export the `json` output for further processing in a separate secure environment, for example to integrate results into dashboards, ticketing systems, or additional analysis pipelines.
+
+
+### HTML report example 
+
+
+```yml
+# SAST scan with Python Code Audit on GitLab.com
+image: python:3.13-slim
+
+stages:
+  - scan
+
+codeaudit-scan:
+  stage: scan
+
+  before_script:
+    - python -m pip install --upgrade pip
+
+  script:
+    - pip install codeaudit
+    - codeaudit --version
+    - codeaudit cimode . --output html > codeaudit-output.html
+    
+  allow_failure: true
+
+  artifacts:
+    when: always
+    name: "codeaudit-${CI_COMMIT_REF_NAME}"
+    paths:
+      - codeaudit-output.html
+    expire_in: 1 week
+    expose_as: "Python Code Audit Report"
+```
+
+If a scan detects security weaknesses, the job will fail by default. In many workflows, it is common to allow CI failures so that issues are visible without blocking all development activity.
+
+After the job completes, results are available in the CI **artifacts**. Use *Browse artifacts* to open the HTML report directly in your browser.
+
+
+### Plain Text Output Example
+
+For simple readable output in CI logs:
+
+```yaml
+codeaudit-scan:
+  stage: scan
+
+  before_script:
+    - python -m pip install --upgrade pip
+
+  script:
+    - pip install codeaudit
+    - codeaudit --version
+    - codeaudit cimode . | tee codeaudit-output.txt
+
+  allow_failure: true
+
+  artifacts:
+    when: always
+    name: "codeaudit-${CI_COMMIT_REF_NAME}"
+    paths:
+      - codeaudit-output.txt
+    expire_in: 1 week
+    expose_as: "Python Code Audit Report"
+```
+
+
+### JSON Output Example
+
+For structured processing or integration with other tools:
+
+```yml
+codeaudit-scan:
+  stage: scan
+
+  before_script:
+    - python -m pip install --upgrade pip
+
+  script:
+    - pip install codeaudit
+    - codeaudit --version
+    - codeaudit cimode . --output json | tee codeaudit-output.json
+
+  allow_failure: true
+
+  artifacts:
+    when: always
+    name: "codeaudit-${CI_COMMIT_REF_NAME}"
+    paths:
+      - codeaudit-output.json
+    expire_in: 1 week
+    expose_as: "Python Code Audit Report"
+```
+
+
+## GitHub.com CI Integration
+
+### For readable output in CI logs
+
+You can use the following example CI configuration:
+
+```yaml
+# SAST scan with Python Code Audit on GitHub Actions
+
+name: Python Code Audit SAST Scan
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  codeaudit-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Upgrade pip
+        run: python -m pip install --upgrade pip
+
+      - name: Install Python Code Audit
+        run: pip install codeaudit
+
+      - name: Show version
+        run: codeaudit --version
+
+      - name: Run SAST scan
+        run: |
+           codeaudit cimode . --output text | tee codeaudit-output.text
+           exit ${PIPESTATUS[0]}
+        
+      - name: Upload scan artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeaudit-${{ github.ref_name }}
+          path: codeaudit-output.text
+
+```
+
+
+### HTML output 
+
+
+```yaml
+# SAST scan with Python Code Audit on GitHub Actions
+
+name: Python Code Audit SAST Scan
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  codeaudit-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Upgrade pip
+        run: python -m pip install --upgrade pip
+
+      - name: Install Python Code Audit
+        run: pip install codeaudit
+        
+      - name: Show version
+        run: codeaudit --version
+
+      - name: Run SAST scan (HTML output)
+        run: codeaudit cimode . --output html > codeaudit-output.html
+
+      - name: Upload scan artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeaudit-${{ github.ref_name }}
+          path: codeaudit-output.html
+
+```
+
+On GitHub Actions, HTML reports are **not rendered directly in the browser** like a live page. They are stored as **workflow artifacts**. 
+
+
+To download SAST result artifacts from the workflow run:
+
+After the job finishes:
+
+1. Go to your repository on GitHub
+2. Open the **Actions** tab
+3. Select the workflow run
+4. Scroll to the **Artifacts** section
+5. Download the artifact (usually a `.zip` file)
+6. Extract it locally
+7. Open `codeaudit-output.html` in your browser
+
+
+

{codeaudit-1.6.6 → codeaudit-1.7.0}/docs/codeauditcommands.md

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Commands Overview
-Python Code Audit commands for: version: 1.6.5
+Python Code Audit commands for: version: 1.7.0
 ```
 ----------------------------------------------------
  _                    __             _             

{codeaudit-1.6.6 → codeaudit-1.7.0}/docs/examples/codeauditchecks.html

@@ -252,10 +252,28 @@ footer {
       <td>Assertions are for debugging and development. Assertions can be disabled during runtime. Use in production can introduce vulnerabilities.</td>
     </tr>
     <tr>
-      <td>Base64 Encoding</td>
-      <td>base64</td>
+      <td>Base64 Decoding</td>
+      <td>base64.b64decode</td>
+      <td>Medium</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+    </tr>
+    <tr>
+      <td>Base64 Decoding</td>
+      <td>base64.b64encode</td>
       <td>Low</td>
-      <td>Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+    </tr>
+    <tr>
+      <td>Base64 Decoding</td>
+      <td>base64.b85encode</td>
+      <td>Low</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+    </tr>
+    <tr>
+      <td>Base64 Decoding</td>
+      <td>base64.z85decode</td>
+      <td>Medium</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
     </tr>
     <tr>
       <td>BZ2 File Handling</td>
@@ -744,4 +762,4 @@ footer {
       <td>Vulnerable to path traversal attacks if used with untrusted archives.</td>
     </tr>
   </tbody>
-</table><br><p>Number of implemented security validations:<b>84</b></p><p>Version of codeaudit: <b>1.6.5</b><p>Because Python and cybersecurity are constantly changing, issue reports <b>SHOULD</b> specify the codeaudit version used.</p><p><b>Disclaimer:</b> <i>This SAST tool <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p><p>This Python security report was created on: <b>2026-05-11 16:42</b> with <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> version <b>1.6.5</b></p><hr><footer><div class="footer-links">Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" target="_blank">documentation</a> for help on found issues.<br>Codeaudit is made with <span class="heart">&#10084;</span> by cyber security professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br><a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!</div></footer></div></body></html>
+</table><br><p>Number of implemented security validations:<b>87</b></p><p>Version of codeaudit: <b>1.7.0</b><p>Because Python and cybersecurity are constantly changing, issue reports <b>SHOULD</b> specify the codeaudit version used.</p><p><b>Disclaimer:</b> <i>This SAST tool <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p><p>This Python security report was created on: <b>2026-06-10 15:54</b> with <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> version <b>1.7.0</b></p><hr><footer><div class="footer-links">Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" target="_blank">documentation</a> for help on found issues.<br>Codeaudit is made with <span class="heart">&#10084;</span> by cyber security professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br><a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!</div></footer></div></body></html>

{codeaudit-1.6.6 → codeaudit-1.7.0}/docs/examples/demoscan.json

@@ -1,7 +1,7 @@
 {
   "name": "Python_Code_Audit",
-  "version": "1.6.5",
-  "generated_on": "2026-05-11 16:42",
+  "version": "1.7.0",
+  "generated_on": "2026-06-10 15:54",
   "file_security_info": {
     "0": {
       "FileName": "demofile.py",
@@ -212,6 +212,20 @@
           "info": "This function can be used to execute arbitrary code or crash the Python interpreter.",
           "code": "<pre><code class='language-python'>compile(&#x27;nasty-string&#x27; ,&#x27;malware.bin&#x27;,mode=single, flags=0, dont_inherit=False, optimize=-1)</code></pre>"
         },
+        "238": {
+          "line": 238,
+          "validation": "base64.b64encode",
+          "severity": "Low",
+          "info": "Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
+          "code": "<pre><code class='language-python'>import base64\nencoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
+        },
+        "239": {
+          "line": 239,
+          "validation": "base64.b64decode",
+          "severity": "Medium",
+          "info": "Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
+          "code": "<pre><code class='language-python'>encoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
+        },
         "244": {
           "line": 244,
           "validation": "http.server.BaseHTTPRequestHandler",
@@ -459,20 +473,6 @@
           "info": "Parsing untrusted logging configurations can lead to vulnerabilities if not handled correctly.",
           "code": "<pre><code class='language-python'>logging.config.fileConfig(fname, defaults=None, disable_existing_loggers=True, encoding=None)\n#&lt;END LOGGING checks&gt;</code></pre>"
         },
-        "238": {
-          "line": 238,
-          "validation": "base64",
-          "severity": "Low",
-          "info": "Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
-          "code": "<pre><code class='language-python'>import base64\nencoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
-        },
-        "239": {
-          "line": 239,
-          "validation": "base64",
-          "severity": "Low",
-          "info": "Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
-          "code": "<pre><code class='language-python'>encoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
-        },
         "316": {
           "line": 316,
           "validation": "pickle.load",

{codeaudit-1.6.6 → codeaudit-1.7.0}/docs/filescan.md

@@ -33,6 +33,8 @@ Per line a the in construct that can cause a security risks is shown, along with
 
 ![Example view of filescan report](filescan.png)
 
+(excluded_directories)=
+## Excluded directories
 
 :::{note} 
 The `codeaudit filescan` command does **NOT** include all directories. This is done on purpose!

{codeaudit-1.6.6 → codeaudit-1.7.0}/docs/whysast.md

@@ -1,10 +1,14 @@
 # Why Security Testing 
 
-Static Application Security Testing (SAST) is crucial for securing Python applications.
-SAST testing helps proactively identify vulnerabilities directly in the source code. 
+Static Application Security Testing (SAST) is a crucial part of securing Python applications.
 
-Python Static Application Security Testing (SAST) offers significant advantages by analyzing source code directly.
+Cybercriminals continuously develop new techniques to exploit weaknesses in Python code and known vulnerabilities to steal data, cause disruption, or gain unauthorised access. Thoroughly analysing source code for security issues is challenging, time-consuming, and expensive.
 
+This is where SAST proves invaluable. By examining your source code directly, SAST enables you to proactively identify vulnerabilities before they reach production.
+
+Python presents unique security challenges due to its dynamic nature, syntax, and common idioms. Generic multi-language SAST tools often miss Python-specific issues. That’s why specialised Python SAST tools deliver far better results.
+
+**Python Code Audit** makes static security testing fast, reliable, and highly effective. Whether reviewing your own code or assessing third-party Python applications.
 
 
 :::{admonition} Advantages of Security Testing(SAST) on Python code

{codeaudit-1.6.6 → codeaudit-1.7.0}/src/codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.6.6"
+__version__ = "1.7.0"

{codeaudit-1.6.6 → codeaudit-1.7.0}/src/codeaudit/api_reporting.py

@@ -32,11 +32,11 @@ def total_weaknesses(input_file):
         sast_result = file_info.get("sast_result", {})
         for (
             construct,
-            occurence,
+            occurrence,
         ) in (
             sast_result.items()
-        ):  # occurence is times the construct appears in a single file
-            counter[construct] += len(occurence)
+        ):  # occurrence is times the construct appears in a single file
+            counter[construct] += len(occurrence)
 
     result = dict(counter)
     df = pd.DataFrame(list(result.items()), columns=["call", "count"])