skylos 2.2.3__tar.gz → 2.2.4__tar.gz

{skylos-2.2.3 → skylos-2.2.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skylos
-Version: 2.2.3
+Version: 2.2.4
 Summary: A static analysis tool for Python codebases
 Author-email: oha <aaronoh2015@gmail.com>
 Requires-Python: >=3.9

{skylos-2.2.3 → skylos-2.2.4}/README.md

@@ -53,7 +53,7 @@
 * **Folder Management**: Inclusion/exclusion of directories 
 * **Ignore Pragmas**: Skip lines tagged with `# pragma: no skylos`, `# pragma: no cover`, or `# noqa`
 **NEW** **Secrets Scanning (PoC, opt-in)**: Detects API keys & secrets (GitHub, GitLab, Slack, Stripe, AWS, Google, SendGrid, Twilio, private key blocks)
-
+**NEW** **Dangerous Patterns**: Flags risky code such as `eval/exec`, `os.system`, `subprocess(shell=True)`, `pickle.load/loads`, `yaml.load` without SafeLoader, hashlib.md5/sha1. Refer to `DANGEROUS_CODE.md` for the whole list.
 
 ## Benchmark (You can find this benchmark test in `test` folder)
 
@@ -98,6 +98,7 @@ pip install .
 skylos /path/to/your/project
 
 skylos /path/to/your/project --secrets  ## include api key scan
+skylos /path/to/your/project --danger   ## include safety scan for dangerous code
 
 # To launch the front end
 skylos run
@@ -262,6 +263,7 @@ Options:
   --list-default-excludes      List the default excluded folders and
   -c, --confidence LEVEL       Confidence threshold (0-100). Lower values will show more items.
   -- secrets                   Scan for api keys/secrets
+  -- danger                    Scan for dangerous code
 ```
 
 ## Interactive Mode
@@ -276,22 +278,97 @@ The interactive mode lets you select specific functions and imports to remove:
 
 Pick **one** (or use **both**) 
 
-1. Pre-commit (local + CI): runs Skylos before commits/PRs.
+1. GitHub Actions: runs Skylos on pushes/PRs in CI.
+   - No local install needed
+
+2. Pre-commit (local + CI): runs Skylos before commits/PRs.
    - You must install pre-commit locally once. Skylos gets installed automatically by the hook.
 
-2. GitHub Actions: runs Skylos on pushes/PRs in CI.
-   - No local install needed
+### Option A — Github Actions
+
+1. Create .github/workflows/skylos.yml **(COPY THE ENTIRE SKYLOS.YAML FROM BELOW)**:
+
+```yaml
+name: Skylos Deadcode Scan
+
+on:
+  pull_request:
+  push:
+    branches: [ main, master ]
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    env:
+      SKYLOS_STRICT: ${{ vars.SKYLOS_STRICT || 'false' }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install Skylos
+        run: pip install skylos
+
+      - name: Run Skylos
+        env:
+          REPORT: skylos_${{ github.run_number }}_${{ github.sha }}.json
+        run: |
+          echo "REPORT=$REPORT" >> "$GITHUB_OUTPUT"
+          skylos . --json > "$REPORT"
+        id: scan
+
+      - name: Fail if there are findings
+        continue-on-error: ${{ env.SKYLOS_STRICT != 'true' }}
+        env:
+          REPORT: ${{ steps.scan.outputs.REPORT }}
+        run: |
+            python - << 'PY'
+            import json, sys, os
+            report = os.environ["REPORT"]
+            data = json.load(open(report, "r", encoding="utf-8"))
+            count = 0
+            for value in data.values():
+                if isinstance(value, list):
+                    count += len(value)
+            print(f"Findings: {count}")
+            if count > 0:
+              print(f"::warning title=Skylos findings::{count} potential issues found. See {report}")
+            sys.exit(1 if count > 0 else 0)
+            PY
+
+      - name: Upload report artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.scan.outputs.REPORT }}
+          path: ${{ steps.scan.outputs.REPORT }}
+
+      - name: Summarize in job log
+        if: always()
+        run: |
+          echo "Skylos report: ${{ steps.scan.outputs.REPORT }}" >> $GITHUB_STEP_SUMMARY
+```
+
+**To make the job fail on findings (strict mode)**:
+
+1. Go to GitHub -> Settings -> Secrets and variables -> Actions -> Variables
+
+2. Add variable SKYLOS_STRICT with value true
 
-### Option A — Pre-commit (local + CI)
+### Option B — Pre-commit (local + CI)
 
-1. Create or edit `.pre-commit-config.yaml` at the repo root:
+. Create or edit `.pre-commit-config.yaml` at the repo root:
 
 **A: Skylos hook repo**
 ```yaml
 ## .pre-commit-config.yaml
 repos:
   - repo: https://github.com/duriantaco/skylos
-    rev: v2.2.3
+    rev: v2.2.4
     hooks:
       - id: skylos-scan
         name: skylos report
@@ -300,7 +377,7 @@ repos:
         types_or: [python]
         pass_filenames: false
         require_serial: true
-        args: [".", "--output", "report.json", "--confidence", "70"]
+        args: [".", "--output", "report.json", "--confidence", "70", "--danger"]
 
   - repo: local
     hooks:
@@ -341,7 +418,7 @@ repos:
         entry: python -m skylos.cli
         pass_filenames: false
         require_serial: true
-        additional_dependencies: [skylos==2.2.3]
+        additional_dependencies: [skylos==2.2.4]
         args: [".", "--output", "report.json", "--confidence", "70"]
 
       - id: skylos-fail-on-findings
@@ -397,81 +474,6 @@ jobs:
 
 **Pre commit behavior:** the second hook is soft by default (SKYLOS_SOFT=1). This means that it prints findings and passes. You can remove the env/logic if you want pre-commit to block commits on finding
 
-### Option B — Github Actions
-
-1. Create .github/workflows/skylos.yml:
-
-```yaml
-name: Skylos Deadcode Scan
-
-on:
-  pull_request:
-  push:
-    branches: [ main, master ]
-  workflow_dispatch:
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    env:
-      SKYLOS_STRICT: ${{ vars.SKYLOS_STRICT || 'false' }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.11'
-          cache: 'pip'
-
-      - name: Install Skylos
-        run: pip install skylos
-
-      - name: Run Skylos
-        env:
-          REPORT: skylos_${{ github.run_number }}_${{ github.sha }}.json
-        run: |
-          echo "REPORT=$REPORT" >> "$GITHUB_OUTPUT"
-          skylos . --json > "$REPORT"
-        id: scan
-
-      - name: Fail if there are findings
-        continue-on-error: ${{ env.SKYLOS_STRICT != 'true' }}
-        env:
-          REPORT: ${{ steps.scan.outputs.REPORT }}
-        run: |
-            python - << 'PY'
-            import json, sys, os
-            report = os.environ["REPORT"]
-            data = json.load(open(report, "r", encoding="utf-8"))
-            count = 0
-            for value in data.values():
-                if isinstance(value, list):
-                    count += len(value)
-            print(f"Findings: {count}")
-            if count > 0:
-              print(f"::warning title=Skylos findings::{count} potential issues found. See {report}")
-            sys.exit(1 if count > 0 else 0)
-            PY
-
-      - name: Upload report artifact
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ steps.scan.outputs.REPORT }}
-          path: ${{ steps.scan.outputs.REPORT }}
-
-      - name: Summarize in job log
-        if: always()
-        run: |
-          echo "Skylos report: ${{ steps.scan.outputs.REPORT }}" >> $GITHUB_STEP_SUMMARY
-```
-
-**To make the job fail on findings (strict mode)**:
-
-1. Go to GitHub -> Settings -> Secrets and variables -> Actions -> Variables
-
-2. Add variable SKYLOS_STRICT with value true
-
 ## Development
 
 ### Prerequisites
@@ -519,6 +521,9 @@ A: Web framework routes are given low confidence (20) because they might be call
 **Q: What confidence level should I use?**
 A: Start with 60 (default) for safe cleanup. Use 30 for framework applications. Use 20 for more comprehensive auditing.
 
+**Q: What does `--danger` check**?
+A: It flags common security problems. Refer to `DANGEROUS_CODE.md` for the full details
+
 ## Limitations
 
 - **Dynamic code**: `getattr()`, `globals()`, runtime imports are hard to detect
@@ -562,6 +567,7 @@ We welcome contributions! Please read our [Contributing Guidelines](CONTRIBUTING
 - [x] CI/CD integration examples
 - [ ] Further optimization
 - [ ] Add new rules
+- [ ] Expanding on the `dangerous.py` list
 
 ## License
 

{skylos-2.2.3 → skylos-2.2.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "skylos"
-version = "2.2.3"
+version = "2.2.4"
 requires-python = ">=3.9"
 description = "A static analysis tool for Python codebases"
 authors = [{name = "oha", email = "aaronoh2015@gmail.com"}]

{skylos-2.2.3 → skylos-2.2.4}/setup.py

@@ -2,7 +2,7 @@ from setuptools import setup, find_packages
 
 setup(
     name="skylos",
-    version="2.2.3",
+    version="2.2.4",
     packages=find_packages(),
     python_requires=">=3.9",
     install_requires=[

{skylos-2.2.3 → skylos-2.2.4}/skylos/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "2.2.3"
+__version__ = "2.2.4"
 
 def analyze(*args, **kwargs):
     from .analyzer import analyze as _analyze

{skylos-2.2.3 → skylos-2.2.4}/skylos/analyzer.py

@@ -9,6 +9,7 @@ from skylos.visitor import Visitor
 from skylos.constants import ( PENALTIES, AUTO_CALLED )
 from skylos.visitors.test_aware import TestAwareVisitor
 from skylos.rules.secrets import scan_ctx as _secrets_scan_ctx
+from skylos.rules.dangerous import scan_ctx as scan_dangerous
 import os
 import traceback
 from skylos.visitors.framework_aware import FrameworkAwareVisitor, detect_framework_usage
@@ -238,7 +239,7 @@ class Skylos:
                     if method.simple_name == "format" and cls.endswith("Formatter"):
                         method.references += 1
 
-    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False):
+    def analyze(self, path, thr=60, exclude_folders= None, enable_secrets = False, enable_dangerous = False):
         files, root = self._get_python_files(path, exclude_folders)
         
         if not files:
@@ -262,6 +263,7 @@ class Skylos:
             modmap[f] = self._module(root, f)
         
         all_secrets = []
+        all_dangers = []
         for file in files:
             mod = modmap[file]
             defs, refs, dyn, exports, test_flags, framework_flags = proc_file(file, mod)
@@ -276,13 +278,23 @@ class Skylos:
 
             if enable_secrets and _secrets_scan_ctx is not None:
                 try:
-                    src_lines = Path(file).read_text(encoding="utf-8", errors="ignore").splitlines(True)
-                    ctx = {"relpath": str(file), "lines": src_lines, "tree": None}
+                    src = Path(file).read_text(encoding="utf-8", errors="ignore")
+                    src_lines = src.splitlines(True)
+                    rel = str(Path(file).relative_to(root))
+                    ctx = {"relpath": rel, "lines": src_lines, "tree": None}
                     findings = list(_secrets_scan_ctx(ctx))
                     if findings:
                         all_secrets.extend(findings)
                 except Exception:
                     pass
+            
+            if enable_dangerous and scan_dangerous is not None:
+                try:
+                    findings = scan_dangerous(root, [file])
+                    if findings:
+                        all_dangers.extend(findings)
+                except Exception:
+                    pass
 
         self._mark_refs()
         self._apply_heuristics() 
@@ -296,7 +308,6 @@ class Skylos:
         for d in sorted(self.defs.values(), key=def_sort_key):
             if shown >= 50:
                 break
-            print(f" type={d.type} refs={d.references} conf={d.confidence} exported={d.is_exported} line={d.line} name={d.name}")
             shown += 1
 
         unused = []
@@ -318,7 +329,12 @@ class Skylos:
 
         if enable_secrets and all_secrets:
             result["secrets"] = all_secrets
+            result["analysis_summary"]["secrets_count"] = len(all_secrets)
         
+        if enable_dangerous and all_dangers:
+            result["dangerous"] = all_dangers
+            result["analysis_summary"]["dangerous_count"] = len(all_dangers)
+
         for u in unused:
             if u["type"] in ("function", "method"):
                 result["unused_functions"].append(u)
@@ -370,13 +386,18 @@ def proc_file(file_or_args, mod=None):
 
         return [], [], set(), set(), dummy_visitor, dummy_framework_visitor
 
-def analyze(path, conf=60, exclude_folders=None, enable_secrets=False):
-    return Skylos().analyze(path,conf, exclude_folders, enable_secrets)
+def analyze(path, conf=60, exclude_folders=None, enable_secrets=False, enable_dangerous=False):
+    return Skylos().analyze(path,conf, exclude_folders, enable_secrets, enable_dangerous)
 
 if __name__ == "__main__":
     if len(sys.argv)>1:
         p = sys.argv[1]
-        confidence = int(sys.argv[2]) if len(sys.argv) >2 else 60
+        
+        if len(sys.argv) > 2:
+            confidence = int(sys.argv[2])
+        else:
+            confidence = 60
+
         result = analyze(p,confidence)
         
         data = json.loads(result)

{skylos-2.2.3 → skylos-2.2.4}/skylos/cli.py

@@ -43,7 +43,7 @@ def setup_logger(output_file=None):
     
     formatter = CleanFormatter()
     
-    console_handler = logging.StreamHandler(sys.stdout)
+    console_handler = logging.StreamHandler(sys.stderr)
     console_handler.setFormatter(formatter)
     logger.addHandler(console_handler)
     
@@ -270,6 +270,9 @@ def main():
     parser.add_argument("--secrets", action="store_true",
                    help="Scan for API keys. Off by default.")
     
+    parser.add_argument("--danger", action="store_true",
+                   help="Scan for security issues. Off by default.")
+    
     args = parser.parse_args()
 
     if args.list_default_excludes:
@@ -305,6 +308,11 @@ def main():
 
     try:
         result_json = run_analyze(args.path, conf=args.confidence, enable_secrets=bool(args.secrets), exclude_folders=list(final_exclude_folders))
+
+        if args.json:
+            print(result_json)
+            return
+
         result = json.loads(result_json)
 
     except Exception as e:
@@ -312,8 +320,14 @@ def main():
         sys.exit(1)
 
     if args.json:
-        logger.info(result_json)
+        lg = logging.getLogger('skylos')
+        for h in list(lg.handlers):
+            if isinstance(h, logging.StreamHandler):
+                lg.removeHandler(h)
+        print(result_json)
         return
+    
+    result = json.loads(result_json)
 
     unused_functions = result.get("unused_functions", [])
     unused_imports = result.get("unused_imports", [])

skylos-2.2.4/skylos/rules/dangerous.py

@@ -0,0 +1,135 @@
+from __future__ import annotations
+import ast
+from pathlib import Path
+
+ALLOWED_SUFFIXES = (".py", ".pyi", ".pyw")
+
+## will expand this list later with more rules 
+DANGEROUS_CALLS = {
+    "eval": ("SKY-D201", "HIGH", "Use of eval()"),
+    "exec": ("SKY-D202", "HIGH", "Use of exec()"),
+    "os.system": ("SKY-D203", "MEDIUM", "Use of os.system"),
+    "pickle.load": ("SKY-D204", "CRITICAL", "Untrusted deserialization via pickle.load"),
+    "pickle.loads": ("SKY-D205", "CRITICAL", "Untrusted deserialization via pickle.loads"),
+    "yaml.load": ("SKY-D206", "HIGH", "yaml.load without SafeLoader"),
+    "hashlib.md5": ("SKY-D207", "MEDIUM", "Weak hash (MD5)"),
+    "hashlib.sha1": ("SKY-D208", "MEDIUM", "Weak hash (SHA1)"),
+    ## this is for arguments like process
+    "subprocess.*": ("SKY-D209", "HIGH", "subprocess.* with shell=True",
+                     {"kw_equals": {"shell": True}}),
+
+    "requests.*": ("SKY-D210", "HIGH", "requests call with verify=False",
+                   {"kw_equals": {"verify": False}}),
+}
+
+def _matches_rule(name, rule_key):
+    if not name:
+        return False
+    if rule_key.endswith(".*"):
+        return name.startswith(rule_key[:-2] + ".")
+    return name == rule_key
+
+def _kw_equals(node: ast.Call, requirements):
+    if not requirements:
+        return True
+    kw_map = {}
+    keywords = node.keywords or []
+    for kw in keywords:
+        if kw.arg:
+            kw_map[kw.arg] = kw.value
+        
+    for key, expected in requirements.items():
+        val = kw_map.get(key)
+        if not isinstance(val, ast.Constant):
+            return False
+        if val.value is not expected:
+            return False
+    return True
+
+def qualified_name_from_call(node: ast.Call):
+    f = node.func
+    parts = []
+    while isinstance(f, ast.Attribute):
+        parts.append(f.attr)
+        f = f.value
+    if isinstance(f, ast.Name):
+        parts.append(f.id)
+        parts.reverse()
+        return ".".join(parts)
+    if isinstance(f, ast.Name):
+        return f.id
+    return None
+
+def _yaml_load_without_safeloader(node: ast.Call):
+    name = qualified_name_from_call(node)
+    if name != "yaml.load":
+        return False
+
+    for kw in node.keywords or []:
+        if kw.arg == "Loader":
+            try:
+                text = ast.unparse(kw.value)
+                return "SafeLoader" not in text
+            except Exception:
+                return True
+    return True
+
+def _add_finding(findings,
+                 file_path: Path,
+                 node: ast.AST,
+                 rule_id,
+                 severity,
+                 message):
+    findings.append({
+        "rule_id": rule_id,
+        "severity": severity,
+        "message": message,
+        "file": str(file_path),
+        "line": getattr(node, "lineno", 1),
+        "col": getattr(node, "col_offset", 0),
+    })
+
+def scan_ctx(root, files):
+    findings = []
+
+    for file_path in files:
+        if file_path.suffix.lower() not in ALLOWED_SUFFIXES:
+            continue
+
+        try:
+            src = file_path.read_text(encoding="utf-8", errors="ignore")
+            tree = ast.parse(src)
+        except Exception:
+            continue
+
+        for node in ast.walk(tree):
+            if not isinstance(node, ast.Call):
+                continue
+
+            name = qualified_name_from_call(node)
+            if not name:
+                continue
+
+            for rule_key, tup in DANGEROUS_CALLS.items():
+                rule_id, severity, message, *rest = tup
+
+                if rest:
+                    opts = rest[0]
+                else:
+                    opts = None
+
+                if not _matches_rule(name, rule_key):
+                    continue
+                
+                if rule_key == "yaml.load":
+                    if not _yaml_load_without_safeloader(node):
+                        continue
+
+                if opts and "kw_equals" in opts:
+                    if not _kw_equals(node, opts["kw_equals"]):
+                        continue
+
+                _add_finding(findings, file_path, node, rule_id, severity, message)
+                break
+
+    return findings

{skylos-2.2.3 → skylos-2.2.4}/skylos/rules/secrets.py

@@ -22,7 +22,15 @@ GENERIC_VALUE = re.compile(r"""(?ix)
     (?:
       (token|api[_-]?key|secret|password|passwd|pwd|bearer|auth[_-]?token|access[_-]?token)
       \s*[:=]\s*(?P<q>['"])(?P<val>[^'"]{16,})(?P=q)
-    )|(?P<bare>[A-Za-z0-9_\-]{24,})
+    )
+    |
+    (?P<bare>
+      (?=[A-Za-z0-9_-]{32,}\b)
+      (?=.*[A-Z])
+      (?=.*[a-z])
+      (?=.*\d)
+      [A-Za-z0-9_-]+
+    )
 """)
 
 SAFE_TEST_HINTS = {
@@ -30,8 +38,12 @@ SAFE_TEST_HINTS = {
     "changeme", "password", "secret", "not_a_real", "do_not_use",
 }
 
+_IDENTIFIER = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*$")
+
 IGNORE_DIRECTIVE = "skylos: ignore[SKY-S101]"
-DEFAULT_MIN_ENTROPY = 3.6
+DEFAULT_MIN_ENTROPY = 3.9
+
+IS_TEST_PATH = re.compile(r"(^|/)(tests?(/|$)|test_[^/]+\.py$)")
 
 def _entropy(s):
     if len(s) == 0:
@@ -64,6 +76,9 @@ def _mask(tok):
         last_part = tok[-4:]
         return first_part + "…" + last_part
 
+def _looks_like_identifier(s):
+    return bool(_IDENTIFIER.fullmatch(s))
+
 def _docstring_lines(tree):
     if tree is None:
         return set()
@@ -107,12 +122,15 @@ def _docstring_lines(tree):
     return docstring_line_numbers
 
 def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
-              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None):
+              scan_docstrings= True, allowlist_patterns= None, ignore_path_substrings= None, ignore_tests=True):
     
     rel_path = ctx.get("relpath", "")
     if not rel_path.endswith(ALLOWED_FILE_SUFFIXES):
         return []
     
+    if ignore_tests and IS_TEST_PATH.search(rel_path.replace("\\", "/")):
+        return []
+    
     if ignore_path_substrings:
         for substring in ignore_path_substrings:
             if substring and substring in rel_path:
@@ -220,22 +238,33 @@ def scan_ctx(ctx, *, min_entropy= DEFAULT_MIN_ENTROPY, scan_comments= True,
                         "entropy": round(tok_entropy, 2),
                     }
                     findings.append(aws_finding)
-        
-        generic_match = GENERIC_VALUE.search(line_content)
+
+        in_tests = bool(IS_TEST_PATH.search(rel_path.replace("\\", "/")))
+
+        if in_tests:
+            generic_match = None
+        else:
+            generic_match= GENERIC_VALUE.search(line_content)
+
         if generic_match:
             val_group = generic_match.group("val")
             bare_group = generic_match.group("bare")
             
+            is_bare = False
             if val_group:
                 extracted_token = val_group
             elif bare_group:
                 extracted_token = bare_group
+                is_bare = True
             else:
                 extracted_token = ""
             
             clean_token = extracted_token.strip()
             
             if clean_token:
+                if is_bare and _looks_like_identifier(clean_token):
+                    continue
+                
                 token_lowercase = clean_token.lower()
                 has_safe_hint = False
                 

{skylos-2.2.3 → skylos-2.2.4}/skylos.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skylos
-Version: 2.2.3
+Version: 2.2.4
 Summary: A static analysis tool for Python codebases
 Author-email: oha <aaronoh2015@gmail.com>
 Requires-Python: >=3.9

{skylos-2.2.3 → skylos-2.2.4}/skylos.egg-info/SOURCES.txt

@@ -15,6 +15,7 @@ skylos.egg-info/entry_points.txt
 skylos.egg-info/requires.txt
 skylos.egg-info/top_level.txt
 skylos/rules/__init__.py
+skylos/rules/dangerous.py
 skylos/rules/secrets.py
 skylos/visitors/__init__.py
 skylos/visitors/framework_aware.py
@@ -28,6 +29,7 @@ test/test_changes_analyzer.py
 test/test_cli.py
 test/test_codemods.py
 test/test_constants.py
+test/test_dangerous.py
 test/test_framework_aware.py
 test/test_integration.py
 test/test_new_behaviours.py

skylos-2.2.4/test/test_dangerous.py

@@ -0,0 +1,70 @@
+from pathlib import Path
+from skylos.rules.dangerous import scan_ctx
+
+def _write(tmp_path: Path, name, code):
+    p = tmp_path / name
+    p.write_text(code, encoding="utf-8")
+    return p
+
+def _rule_ids(findings):
+    rule_ids = set()
+    for f in findings:
+        rule_ids.add(f["rule_id"])
+    return rule_ids
+
+def _scan_one(tmp_path: Path, name, code):
+    file_path = _write(tmp_path, name, code)
+    return scan_ctx(tmp_path, [file_path])
+
+def test_eval(tmp_path):
+    out = _scan_one(tmp_path, "a_eval.py", 'eval("1+1")\n')
+    assert "SKY-D201" in _rule_ids(out)
+
+def test_exec(tmp_path):
+    out = _scan_one(tmp_path, "a_exec.py", 'exec("print(1)")\n')
+    assert "SKY-D202" in _rule_ids(out)
+
+def test_os_system(tmp_path):
+    out = _scan_one(tmp_path, "a_os.py", "import os\nos.system('echo hi')\n")
+    assert "SKY-D203" in _rule_ids(out)
+
+def test_pickle_loads(tmp_path):
+    out = _scan_one(tmp_path, "a_pickle.py", "import pickle\npickle.loads(b'\\x80\\x04K\\x01.')\n")
+    assert "SKY-D205" in _rule_ids(out)
+
+def test_yaml_load_without_safeloader(tmp_path):
+    out = _scan_one(tmp_path, "a_yaml.py", "import yaml\nyaml.load('a: 1')\n")
+    assert "SKY-D206" in _rule_ids(out)
+
+def test_md5_sha1(tmp_path):
+    out = _scan_one(tmp_path, "a_hashes.py", "import hashlib\nhashlib.md5(b'd')\nhashlib.sha1(b'd')\n")
+    ids = _rule_ids(out)
+    assert "SKY-D207" in ids
+    assert "SKY-D208" in ids
+
+def test_subprocess_shell_true(tmp_path):
+    out = _scan_one(tmp_path, "a_subproc.py", "import subprocess\nsubprocess.run('echo hi', shell=True)\n")
+    assert "SKY-D209" in _rule_ids(out)
+
+def test_requests_verify_false(tmp_path):
+    out = _scan_one(tmp_path, "a_requests.py", "import requests\nrequests.get('https://x', verify=False)\n")
+    assert "SKY-D210" in _rule_ids(out)
+
+def test_yaml_safe_loader_does_not_trigger(tmp_path):
+    code = (
+        "import yaml\n"
+        "from yaml import SafeLoader\n"
+        "yaml.load('a: 1', Loader=SafeLoader)\n"
+    )
+    out = _scan_one(tmp_path, "b_yaml_safe.py", code)
+    assert "SKY-D206" not in _rule_ids(out)
+
+def test_subprocess_without_shell_true_is_ok(tmp_path):
+    code = "import subprocess\nsubprocess.run(['echo','hi'])\n"
+    out = _scan_one(tmp_path, "b_subproc_ok.py", code)
+    assert "SKY-D209" not in _rule_ids(out)
+
+def test_requests_default_verify_true_is_ok(tmp_path):
+    code = "import requests\nrequests.get('https://example.com')\n"
+    out = _scan_one(tmp_path, "b_requests_ok.py", code)
+    assert "SKY-D210" not in _rule_ids(out)

{skylos-2.2.3 → skylos-2.2.4}/test/test_secrets.py

@@ -77,16 +77,6 @@ def test_aws_secret_access_key_special_case():
     assert "entropy" in hit and isinstance(hit["entropy"], float)
     assert ELLIPSIS in hit["preview"]
 
-
-def test_generic_entropy_detection_and_threshold():
-    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
-    findings = list(scan_ctx(_ctx_from_source(src)))
-    assert any(f["provider"] == "generic" for f in findings)
-
-    findings_high_thr = list(scan_ctx(_ctx_from_source(src), min_entropy=8.0))
-    assert not any(f["provider"] == "generic" for f in findings_high_thr)
-
-
 def test_ignore_directive_suppresses_matches():
     src = 'GITHUB_TOKEN = "ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"  # skylos: ignore[SKY-S101]\n'
     findings = list(scan_ctx(_ctx_from_source(src)))
@@ -177,3 +167,27 @@ def test_safe_hints_suppress_detection():
     safe_line = 'EXAMPLE_TOKEN = "sk_test_this_is_example_value_not_real_123456"\n'
     out = list(scan_ctx(_ctx_from_source(safe_line)))
     assert out == []
+
+def test_generic_is_suppressed_in_test_paths():
+    src = 'X = "o2uV7Ew1kZ9Q3nR8sT5yU6pX4cJ2mL7a"\n'
+    findings = list(scan_ctx(_ctx_from_source(src, rel="tests/unit/test_secrets.py")))
+    
+    generic_findings = []
+    for f in findings:
+        if f["provider"] == "generic":
+            generic_findings.append(f)
+    
+    assert len(generic_findings) == 0
+
+def test_normal_strings_ignored():
+    src = 'X = "config_path"\n'
+    ctx = _ctx_from_source(src)
+    findings = list(scan_ctx(ctx))
+    
+    generic_findings = []
+    for f in findings:
+        if f["provider"] == "generic":
+            generic_findings.append(f)
+    
+    assert len(generic_findings) == 0
+