skylos 2.2.2__py3-none-any.whl → 2.2.4__py3-none-any.whl

skylos/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "2.2.2"
+__version__ = "2.2.4"
 
 def analyze(*args, **kwargs):
     from .analyzer import analyze as _analyze

skylos/analyzer.py

@@ -9,6 +9,7 @@ from skylos.visitor import Visitor
 from skylos.constants import ( PENALTIES, AUTO_CALLED )
 from skylos.visitors.test_aware import TestAwareVisitor
 from skylos.rules.secrets import scan_ctx as _secrets_scan_ctx
+from skylos.rules.dangerous import scan_ctx as scan_dangerous
 import os
 import traceback
 from skylos.visitors.framework_aware import FrameworkAwareVisitor, detect_framework_usage
@@ -238,7 +239,7 @@ class Skylos:
                     if method.simple_name == "format" and cls.endswith("Formatter"):
                         method.references += 1
 
-    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False):
+    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False, enable_dangerous = False):
         files, root = self._get_python_files(path, exclude_folders)
         
         if not files:
@@ -262,6 +263,7 @@ class Skylos:
             modmap[f] = self._module(root, f)
         
         all_secrets = []
+        all_dangers = []
         for file in files:
             mod = modmap[file]
             defs, refs, dyn, exports, test_flags, framework_flags = proc_file(file, mod)
@@ -276,13 +278,23 @@ class Skylos:
 
             if enable_secrets and _secrets_scan_ctx is not None:
                 try:
-                    src_lines = Path(file).read_text(encoding="utf-8", errors="ignore").splitlines(True)
-                    ctx = {"relpath": str(file), "lines": src_lines, "tree": None}
+                    src = Path(file).read_text(encoding="utf-8", errors="ignore")
+                    src_lines = src.splitlines(True)
+                    rel = str(Path(file).relative_to(root))
+                    ctx = {"relpath": rel, "lines": src_lines, "tree": None}
                     findings = list(_secrets_scan_ctx(ctx))
                     if findings:
                         all_secrets.extend(findings)
                 except Exception:
                     pass
+            
+            if enable_dangerous and scan_dangerous is not None:
+                try:
+                    findings = scan_dangerous(root, [file])
+                    if findings:
+                        all_dangers.extend(findings)
+                except Exception:
+                    pass
 
         self._mark_refs()
         self._apply_heuristics() 
@@ -296,7 +308,6 @@ class Skylos:
         for d in sorted(self.defs.values(), key=def_sort_key):
             if shown >= 50:
                 break
-            print(f" type={d.type} refs={d.references} conf={d.confidence} exported={d.is_exported} line={d.line} name={d.name}")
             shown += 1
 
         unused = []
@@ -318,7 +329,12 @@ class Skylos:
 
         if enable_secrets and all_secrets:
             result["secrets"] = all_secrets
+            result["analysis_summary"]["secrets_count"] = len(all_secrets)
         
+        if enable_dangerous and all_dangers:
+            result["dangerous"] = all_dangers
+            result["analysis_summary"]["dangerous_count"] = len(all_dangers)
+
         for u in unused:
             if u["type"] in ("function", "method"):
                 result["unused_functions"].append(u)
@@ -370,13 +386,18 @@ def proc_file(file_or_args, mod=None):
 
         return [], [], set(), set(), dummy_visitor, dummy_framework_visitor
 
-def analyze(path, conf=60, exclude_folders=None, enable_secrets=False):
-    return Skylos().analyze(path,conf, exclude_folders, enable_secrets)
+def analyze(path, conf=60, exclude_folders=None, enable_secrets=False, enable_dangerous=False):
+    return Skylos().analyze(path,conf, exclude_folders, enable_secrets, enable_dangerous)
 
 if __name__ == "__main__":
     if len(sys.argv)>1:
         p = sys.argv[1]
-        confidence = int(sys.argv[2]) if len(sys.argv) >2 else 60
+        
+        if len(sys.argv) > 2:
+            confidence = int(sys.argv[2])
+        else:
+            confidence = 60
+
         result = analyze(p,confidence)
         
         data = json.loads(result)

skylos/cli.py

@@ -43,7 +43,7 @@ def setup_logger(output_file=None):
     
     formatter = CleanFormatter()
     
-    console_handler = logging.StreamHandler(sys.stdout)
+    console_handler = logging.StreamHandler(sys.stderr)
     console_handler.setFormatter(formatter)
     logger.addHandler(console_handler)
     
@@ -270,6 +270,9 @@ def main():
     parser.add_argument("--secrets", action="store_true",
                    help="Scan for API keys. Off by default.")
     
+    parser.add_argument("--danger", action="store_true",
+                   help="Scan for security issues. Off by default.")
+    
     args = parser.parse_args()
 
     if args.list_default_excludes:
@@ -305,6 +308,11 @@ def main():
 
     try:
         result_json = run_analyze(args.path, conf=args.confidence, enable_secrets=bool(args.secrets), exclude_folders=list(final_exclude_folders))
+
+        if args.json:
+            print(result_json)
+            return
+
         result = json.loads(result_json)
 
     except Exception as e:
@@ -312,8 +320,14 @@ def main():
         sys.exit(1)
 
     if args.json:
-        logger.info(result_json)
+        lg = logging.getLogger('skylos')
+        for h in list(lg.handlers):
+            if isinstance(h, logging.StreamHandler):
+                lg.removeHandler(h)
+        print(result_json)
         return
+    
+    result = json.loads(result_json)
 
     unused_functions = result.get("unused_functions", [])
     unused_imports = result.get("unused_imports", [])

skylos/codemods.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 import libcst as cst
 from libcst.metadata import PositionProvider
+from libcst.helpers import get_full_name_for_node
 
 class _CommentOutBlock(cst.CSTTransformer):
 
@@ -31,14 +32,16 @@ class _CommentOutFunctionAtLine(_CommentOutBlock):
         return pos and pos.start.line == self.target_line
 
     def leave_FunctionDef(self, orig: cst.FunctionDef, updated: cst.FunctionDef):
-        if self._is_target(orig) and (orig.name.value == self.func_name):
+        target = self.func_name.split(".")[-1]
+        if self._is_target(orig) and (orig.name.value == target):
             self.changed = True
             pos = self.get_metadata(PositionProvider, orig)
             return cst.FlattenSentinel(self._comment_block(pos.start.line, pos.end.line))
         return updated
 
     def leave_AsyncFunctionDef(self, orig: cst.AsyncFunctionDef, updated: cst.AsyncFunctionDef):
-        if self._is_target(orig) and (orig.name.value == self.func_name):
+        target = self.func_name.split(".")[-1] 
+        if self._is_target(orig) and (orig.name.value == target):
             self.changed = True
             pos = self.get_metadata(PositionProvider, orig)
             return cst.FlattenSentinel(self._comment_block(pos.start.line, pos.end.line))
@@ -73,7 +76,9 @@ class _CommentOutImportAtLine(_CommentOutBlock):
         removed_for_comment= []
         for alias in list(aliases):
             bound = _bound_name_for_import_alias(alias)
-            if bound == self.target_name:
+            name_code = get_full_name_for_node(alias.name)
+            tail = name_code.split(".")[-1]
+            if self.target_name in (bound, tail):
                 self.changed = True
                 removed_for_comment.append(self._render_single_alias_text(head, alias, is_from))
             else:
@@ -175,7 +180,9 @@ class _RemoveImportAtLine(cst.CSTTransformer):
         kept = []
         for alias in aliases:
             bound = _bound_name_for_import_alias(alias)
-            if bound == self.target_name:
+            name_code = get_full_name_for_node(alias.name) or ""
+            tail = name_code.split(".")[-1]
+            if self.target_name in (bound, tail):
                 self.changed = True
                 continue
             kept.append(alias)
@@ -213,13 +220,15 @@ class _RemoveFunctionAtLine(cst.CSTTransformer):
         return pos and pos.start.line == self.target_line
 
     def leave_FunctionDef(self, orig: cst.FunctionDef, updated: cst.FunctionDef):
-        if self._is_target(orig) and (orig.name.value == self.func_name):
+        target = self.func_name.split(".")[-1]
+        if self._is_target(orig) and (orig.name.value == target):
             self.changed = True
             return cst.RemoveFromParent()
         return updated
 
     def leave_AsyncFunctionDef(self, orig: cst.AsyncFunctionDef, updated: cst.AsyncFunctionDef):
-        if self._is_target(orig) and (orig.name.value == self.func_name):
+        target = self.func_name.split(".")[-1]
+        if self._is_target(orig) and (orig.name.value == target):
             self.changed = True
             return cst.RemoveFromParent()
 

skylos/rules/dangerous.py

@@ -0,0 +1,135 @@
+from __future__ import annotations
+import ast
+from pathlib import Path
+
+ALLOWED_SUFFIXES = (".py", ".pyi", ".pyw")
+
+## will expand this list later with more rules 
+DANGEROUS_CALLS = {
+    "eval": ("SKY-D201", "HIGH", "Use of eval()"),
+    "exec": ("SKY-D202", "HIGH", "Use of exec()"),
+    "os.system": ("SKY-D203", "MEDIUM", "Use of os.system"),
+    "pickle.load": ("SKY-D204", "CRITICAL", "Untrusted deserialization via pickle.load"),
+    "pickle.loads": ("SKY-D205", "CRITICAL", "Untrusted deserialization via pickle.loads"),
+    "yaml.load": ("SKY-D206", "HIGH", "yaml.load without SafeLoader"),
+    "hashlib.md5": ("SKY-D207", "MEDIUM", "Weak hash (MD5)"),
+    "hashlib.sha1": ("SKY-D208", "MEDIUM", "Weak hash (SHA1)"),
+    ## this is for arguments like process
+    "subprocess.*": ("SKY-D209", "HIGH", "subprocess.* with shell=True",
+                     {"kw_equals": {"shell": True}}),
+
+    "requests.*": ("SKY-D210", "HIGH", "requests call with verify=False",
+                   {"kw_equals": {"verify": False}}),
+}
+
+def _matches_rule(name, rule_key):
+    if not name:
+        return False
+    if rule_key.endswith(".*"):
+        return name.startswith(rule_key[:-2] + ".")
+    return name == rule_key
+
+def _kw_equals(node: ast.Call, requirements):
+    if not requirements:
+        return True
+    kw_map = {}
+    keywords = node.keywords or []
+    for kw in keywords:
+        if kw.arg:
+            kw_map[kw.arg] = kw.value
+        
+    for key, expected in requirements.items():
+        val = kw_map.get(key)
+        if not isinstance(val, ast.Constant):
+            return False
+        if val.value is not expected:
+            return False
+    return True
+
+def qualified_name_from_call(node: ast.Call):
+    f = node.func
+    parts = []
+    while isinstance(f, ast.Attribute):
+        parts.append(f.attr)
+        f = f.value
+    if isinstance(f, ast.Name):
+        parts.append(f.id)
+        parts.reverse()
+        return ".".join(parts)
+    if isinstance(f, ast.Name):
+        return f.id
+    return None
+
+def _yaml_load_without_safeloader(node: ast.Call):
+    name = qualified_name_from_call(node)
+    if name != "yaml.load":
+        return False
+
+    for kw in node.keywords or []:
+        if kw.arg == "Loader":
+            try:
+                text = ast.unparse(kw.value)
+                return "SafeLoader" not in text
+            except Exception:
+                return True
+    return True
+
+def _add_finding(findings,
+                 file_path: Path,
+                 node: ast.AST,
+                 rule_id,
+                 severity,
+                 message):
+    findings.append({
+        "rule_id": rule_id,
+        "severity": severity,
+        "message": message,
+        "file": str(file_path),
+        "line": getattr(node, "lineno", 1),
+        "col": getattr(node, "col_offset", 0),
+    })
+
+def scan_ctx(root, files):
+    findings = []
+
+    for file_path in files:
+        if file_path.suffix.lower() not in ALLOWED_SUFFIXES:
+            continue
+
+        try:
+            src = file_path.read_text(encoding="utf-8", errors="ignore")
+            tree = ast.parse(src)
+        except Exception:
+            continue
+
+        for node in ast.walk(tree):
+            if not isinstance(node, ast.Call):
+                continue
+
+            name = qualified_name_from_call(node)
+            if not name:
+                continue
+
+            for rule_key, tup in DANGEROUS_CALLS.items():
+                rule_id, severity, message, *rest = tup
+
+                if rest:
+                    opts = rest[0]
+                else:
+                    opts = None
+
+                if not _matches_rule(name, rule_key):
+                    continue
+                
+                if rule_key == "yaml.load":
+                    if not _yaml_load_without_safeloader(node):
+                        continue
+
+                if opts and "kw_equals" in opts:
+                    if not _kw_equals(node, opts["kw_equals"]):
+                        continue
+
+                _add_finding(findings, file_path, node, rule_id, severity, message)
+                break
+
+    return findings

skylos/rules/secrets.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 import re, ast
 from math import log2
-from typing import Dict, Any, Iterable, List, Optional
 
 __all__ = ["scan_ctx"]
 
@@ -23,7 +22,15 @@ GENERIC_VALUE = re.compile(r"""(?ix)
     (?:
       (token|api[_-]?key|secret|password|passwd|pwd|bearer|auth[_-]?token|access[_-]?token)
       \s*[:=]\s*(?P<q>['"])(?P<val>[^'"]{16,})(?P=q)
-    )|(?P<bare>[A-Za-z0-9_\-]{24,})
+    )
+    |
+    (?P<bare>
+      (?=[A-Za-z0-9_-]{32,}\b)
+      (?=.*[A-Z])
+      (?=.*[a-z])
+      (?=.*\d)
+      [A-Za-z0-9_-]+
+    )
 """)
 
 SAFE_TEST_HINTS = {
@@ -31,8 +38,12 @@ SAFE_TEST_HINTS = {
     "changeme", "password", "secret", "not_a_real", "do_not_use",
 }
 
+_IDENTIFIER = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*$")
+
 IGNORE_DIRECTIVE = "skylos: ignore[SKY-S101]"
-DEFAULT_MIN_ENTROPY = 3.6
+DEFAULT_MIN_ENTROPY = 3.9
+
+IS_TEST_PATH = re.compile(r"(^|/)(tests?(/|$)|test_[^/]+\.py$)")
 
 def _entropy(s):
     if len(s) == 0:
@@ -65,6 +76,9 @@ def _mask(tok):
         last_part = tok[-4:]
         return first_part + "…" + last_part
 
+def _looks_like_identifier(s):
+    return bool(_IDENTIFIER.fullmatch(s))
+
 def _docstring_lines(tree):
     if tree is None:
         return set()
@@ -108,12 +122,15 @@ def _docstring_lines(tree):
     return docstring_line_numbers
 
 def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
-              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None):
+              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None, ignore_tests=True):
     
     rel_path = ctx.get("relpath", "")
     if not rel_path.endswith(ALLOWED_FILE_SUFFIXES):
         return []
     
+    if ignore_tests and IS_TEST_PATH.search(rel_path.replace("\\", "/")):
+        return []
+    
     if ignore_path_substrings:
         for substring in ignore_path_substrings:
             if substring and substring in rel_path:
@@ -221,22 +238,33 @@ def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
                         "entropy": round(tok_entropy, 2),
                     }
                     findings.append(aws_finding)
-        
-        generic_match = GENERIC_VALUE.search(line_content)
+
+        in_tests = bool(IS_TEST_PATH.search(rel_path.replace("\\", "/")))
+
+        if in_tests:
+            generic_match = None
+        else:
+            generic_match= GENERIC_VALUE.search(line_content)
+
         if generic_match:
             val_group = generic_match.group("val")
             bare_group = generic_match.group("bare")
             
+            is_bare = False
             if val_group:
                 extracted_token = val_group
             elif bare_group:
                 extracted_token = bare_group
+                is_bare = True
             else:
                 extracted_token = ""
             
             clean_token = extracted_token.strip()
             
             if clean_token:
+                if is_bare and _looks_like_identifier(clean_token):
+                    continue
+                
                 token_lowercase = clean_token.lower()
                 has_safe_hint = False
                 

{skylos-2.2.2.dist-info → skylos-2.2.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skylos
-Version: 2.2.2
+Version: 2.2.4
 Summary: A static analysis tool for Python codebases
 Author-email: oha <aaronoh2015@gmail.com>
 Requires-Python: >=3.9

{skylos-2.2.2.dist-info → skylos-2.2.4.dist-info}/RECORD

@@ -1,12 +1,13 @@
-skylos/__init__.py,sha256=C4oz_FAjQTq_0XiSSxpDnngdL9YlWLpuam7NNvB_vPs,229
-skylos/analyzer.py,sha256=G_8pw7GmChATc5h5XXij2pcHirhh_5G9Y8dlAC1dx38,16735
-skylos/cli.py,sha256=DOV6nwPbi5zh-OJ3wXjIaPxCfXRtiPMNqo9Zp2nvDBA,19475
-skylos/codemods.py,sha256=QdOwtbE2PpLsgCqpeScFg-pCfcpfHw9hFu-0WKKKBQg,9084
+skylos/__init__.py,sha256=YwPfQwovq4tgmZty1bPKmaNXjqgsmv6wbi94D2oEo6Y,229
+skylos/analyzer.py,sha256=iiymCNg3LphPSHhR3TYLmObR2vlGC99wKligDtHHzDE,17449
+skylos/cli.py,sha256=oEZHS8ogV8pZloj_EIk4qzPVbJS7QenHKJDIp7q2OGg,19882
+skylos/codemods.py,sha256=-1ehjFLc1MmtK3inoSZF_RyBNWF7XZSOq2KH5_MDzuA,9519
 skylos/constants.py,sha256=kU-2FKQAV-ju4rYw62Tw25uRvqauzjZFUqtvGWaI6Es,1571
 skylos/server.py,sha256=oHuevjdDFvJVbvpTtCDjSLOJ6Zy1jL4BYLYV4VFNMXs,15903
 skylos/visitor.py,sha256=o_2JxjXKXAcWLQr8nmoatGAz2EhBk225qE_piHf3hDg,20458
 skylos/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-skylos/rules/secrets.py,sha256=FD7cXZ4_Zfg_Si1qFXLVK-5OIX1HXtCr_yJM0OlRsbI,9425
+skylos/rules/dangerous.py,sha256=a1P2wpjxxAHOG_pa83xSKDOnb1HFGPlHzATtkgQtd8Y,4111
+skylos/rules/secrets.py,sha256=xZOKJwfeyx2el-HlGjTflc50XtjUL7R-8mLOJUkwf30,10092
 skylos/visitors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 skylos/visitors/framework_aware.py,sha256=eX4oU0jQwDWejkkW4kjRNctre27sVLHK1CTDDiqPqRw,13054
 skylos/visitors/test_aware.py,sha256=kxYoMG2m02kbMlxtFOM-MWJO8qqxHviP9HgAMbKRfvU,2304
@@ -19,10 +20,11 @@ test/test_changes_analyzer.py,sha256=l1hspCFz-sF8gqOilJvntUDuGckwhYsVtzvSRB13ZWw
 test/test_cli.py,sha256=rtdKzanDRJT_F92jKkCQFdhvlfwVJxfXKO8Hrbn-mIg,13180
 test/test_codemods.py,sha256=Tbp9jE95HDl77EenTmyTtB1Sc3L8fwY9xiMNVDN5lxo,4522
 test/test_constants.py,sha256=pMuDy0UpC81zENMDCeK6Bqmm3BR_HHZQSlMG-9TgOm0,12602
+test/test_dangerous.py,sha256=zFc2Fi43T824yWY-nKziP1YH_Z4on5rXwxsvgYQ6EN4,2523
 test/test_framework_aware.py,sha256=G9va1dEQ31wsvd4X7ROf_1YhhAQG5CogB7v0hYCojQ8,8802
 test/test_integration.py,sha256=bNKGUe-w0xEZEdnoQNHbssvKMGs9u9fmFQTOz1lX9_k,12398
 test/test_new_behaviours.py,sha256=vAON8rR09RXawZT1knYtZHseyRcECKz5bdOspJoMjUA,1472
-test/test_secrets.py,sha256=rjC-iQD9s8U296PyHP0vMEjC6CC9mJwKiFj7Sm-xsuo,5711
+test/test_secrets.py,sha256=cxbe8zH6lv5aKgazCW01q-mX5F2dRsiH6N2lDXb7ueY,6010
 test/test_skylos.py,sha256=kz77STrS4k3Eez5RDYwGxOg2WH3e7zNZPUYEaTLbGTs,15608
 test/test_test_aware.py,sha256=VmbR_MQY0m941CAxxux8OxJHIr7l8crfWRouSeBMhIo,9390
 test/test_visitor.py,sha256=xAbGv-XaozKm_0WJJhr0hMb6mLaJcbPz57G9-SWkxFU,22764
@@ -33,8 +35,8 @@ test/sample_repo/sample_repo/commands.py,sha256=b6gQ9YDabt2yyfqGbOpLo0osF7wya8O4
 test/sample_repo/sample_repo/models.py,sha256=xXIg3pToEZwKuUCmKX2vTlCF_VeFA0yZlvlBVPIy5Qw,3320
 test/sample_repo/sample_repo/routes.py,sha256=8yITrt55BwS01G7nWdESdx8LuxmReqop1zrGUKPeLi8,2475
 test/sample_repo/sample_repo/utils.py,sha256=S56hEYh8wkzwsD260MvQcmUFOkw2EjFU27nMLFE6G2k,1103
-skylos-2.2.2.dist-info/METADATA,sha256=LfA3i21DFqm9HGGJLXEkSwkK1Adv-58LPnIAmwguvwQ,314
-skylos-2.2.2.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-skylos-2.2.2.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
-skylos-2.2.2.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
-skylos-2.2.2.dist-info/RECORD,,
+skylos-2.2.4.dist-info/METADATA,sha256=S5mGNVK7yVnSeqxS_5pr1PEXqaUrCcdu3NDZEqDHdYo,314
+skylos-2.2.4.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+skylos-2.2.4.dist-info/entry_points.txt,sha256=zzRpN2ByznlQoLeuLolS_TFNYSQxUGBL1EXQsAd6bIA,43
+skylos-2.2.4.dist-info/top_level.txt,sha256=f8GA_7KwfaEopPMP8-EXDQXaqd4IbsOQPakZy01LkdQ,12
+skylos-2.2.4.dist-info/RECORD,,

test/test_dangerous.py

@@ -0,0 +1,70 @@
+from pathlib import Path
+from skylos.rules.dangerous import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    rule_ids = set()
+    for f in findings:
+        rule_ids.add(f["rule_id"])
+    return rule_ids
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_eval(tmp_path):
+    out = _scan_one(tmp_path, "a_eval.py", 'eval("1+1")\n')
+    assert "SKY-D201" in _rule_ids(out)
+
+def test_exec(tmp_path):
+    out = _scan_one(tmp_path, "a_exec.py", 'exec("print(1)")\n')
+    assert "SKY-D202" in _rule_ids(out)
+
+def test_os_system(tmp_path):
+    out = _scan_one(tmp_path, "a_os.py", "import os\nos.system('echo hi')\n")
+    assert "SKY-D203" in _rule_ids(out)
+
+def test_pickle_loads(tmp_path):
+    out = _scan_one(tmp_path, "a_pickle.py", "import pickle\npickle.loads(b'\\x80\\x04K\\x01.')\n")
+    assert "SKY-D205" in _rule_ids(out)
+
+def test_yaml_load_without_safeloader(tmp_path):
+    out = _scan_one(tmp_path, "a_yaml.py", "import yaml\nyaml.load('a: 1')\n")
+    assert "SKY-D206" in _rule_ids(out)
+
+def test_md5_sha1(tmp_path):
+    out = _scan_one(tmp_path, "a_hashes.py", "import hashlib\nhashlib.md5(b'd')\nhashlib.sha1(b'd')\n")
+    ids = _rule_ids(out)
+    assert "SKY-D207" in ids
+    assert "SKY-D208" in ids
+
+def test_subprocess_shell_true(tmp_path):
+    out = _scan_one(tmp_path, "a_subproc.py", "import subprocess\nsubprocess.run('echo hi', shell=True)\n")
+    assert "SKY-D209" in _rule_ids(out)
+
+def test_requests_verify_false(tmp_path):
+    out = _scan_one(tmp_path, "a_requests.py", "import requests\nrequests.get('https://x', verify=False)\n")
+    assert "SKY-D210" in _rule_ids(out)
+
+def test_yaml_safe_loader_does_not_trigger(tmp_path):
+    code = (
+        "import yaml\n"
+        "from yaml import SafeLoader\n"
+        "yaml.load('a: 1', Loader=SafeLoader)\n"
+    )
+    out = _scan_one(tmp_path, "b_yaml_safe.py", code)
+    assert "SKY-D206" not in _rule_ids(out)
+
+def test_subprocess_without_shell_true_is_ok(tmp_path):
+    code = "import subprocess\nsubprocess.run(['echo','hi'])\n"
+    out = _scan_one(tmp_path, "b_subproc_ok.py", code)
+    assert "SKY-D209" not in _rule_ids(out)
+
+def test_requests_default_verify_true_is_ok(tmp_path):
+    code = "import requests\nrequests.get('https://example.com')\n"
+    out = _scan_one(tmp_path, "b_requests_ok.py", code)
+    assert "SKY-D210" not in _rule_ids(out)

test/test_secrets.py

@@ -77,16 +77,6 @@ def test_aws_secret_access_key_special_case():
     assert "entropy" in hit and isinstance(hit["entropy"], float)
     assert ELLIPSIS in hit["preview"]
 
-
-def test_generic_entropy_detection_and_threshold():
-    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
-    findings = list(scan_ctx(_ctx_from_source(src)))
-    assert any(f["provider"] == "generic" for f in findings)
-
-    findings_high_thr = list(scan_ctx(_ctx_from_source(src), min_entropy=8.0))
-    assert not any(f["provider"] == "generic" for f in findings_high_thr)
-
-
 def test_ignore_directive_suppresses_matches():
     src = 'GITHUB_TOKEN = "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"  # skylos: ignore[SKY-S101]\n'
     findings = list(scan_ctx(_ctx_from_source(src)))
@@ -177,3 +167,27 @@ def test_safe_hints_suppress_detection():
     safe_line = 'EXAMPLE_TOKEN = "sk_test_this_is_example_value_not_real_123456"\n'
     out = list(scan_ctx(_ctx_from_source(safe_line)))
     assert out == []
+
+def test_generic_is_suppressed_in_test_paths():
+    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
+    findings = list(scan_ctx(_ctx_from_source(src, rel="tests/unit/test_secrets.py")))
+    
+    generic_findings = []
+    for f in findings:
+        if f["provider"] == "generic":
+            generic_findings.append(f)
+    
+    assert len(generic_findings) == 0
+
+def test_normal_strings_ignored():
+    src = 'X = "config_path"\n'
+    ctx = _ctx_from_source(src)
+    findings = list(scan_ctx(ctx))
+    
+    generic_findings = []
+    for f in findings:
+        if f["provider"] == "generic":
+            generic_findings.append(f)
+    
+    assert len(generic_findings) == 0
+