ワンクリックでManusで任意のスキルを実行

auditing-python-security

スター49

フォーク10

更新日2026年4月2日 01:21

Audits Python libraries for security vulnerabilities using Bandit, pip-audit, Semgrep, and detect-secrets. Identifies SQL injection, command injection, hardcoded credentials, weak cryptography, and insecure deserialization. Use when reviewing library security, setting up security scanning in CI, or implementing secure coding patterns.

インストール

Codex または Claude でインストールこの Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。

Manusで実行

ソース

wdm0006

wdm0006/python-skills

GitHub リポジトリを開く Creator のリポジトリを見る

ダウンロード

Manusで実行

Python Security Auditing

Quick Start

# Static analysis
bandit -r src/ -ll                    # High severity only
pip-audit                             # Dependency vulnerabilities
detect-secrets scan > .secrets.baseline  # Secrets detection

Tool Configuration

Bandit (.bandit):

exclude_dirs: [tests/, docs/, .venv/]
skips: [B101]  # assert_used - OK in tests

pip-audit:

pip-audit -r requirements.txt         # Scan requirements
pip-audit --fix                       # Auto-fix vulnerabilities

Common Vulnerabilities

Issue	Bandit ID	Fix
SQL injection	B608	Use parameterized queries
Command injection	B602	subprocess without shell=True
Hardcoded secrets	B105, B106	Environment variables
Weak crypto	B303	Use SHA-256+, bcrypt for passwords
Pickle untrusted data	B301	Use JSON instead
Path traversal	B108	Validate with Path.resolve()

Secure Patterns

# SQL - Parameterized query
conn.execute("SELECT * FROM users WHERE id = ?", (user_id,))

# Commands - No shell
subprocess.run(["cat", filename], check=True)

# Secrets - Environment
API_KEY = os.environ.get("API_KEY")

# Paths - Validate
base = Path("/data").resolve()
file_path = (base / filename).resolve()
if not file_path.is_relative_to(base):
    raise ValueError("Invalid path")

CI Integration

# .github/workflows/security.yml
- run: bandit -r src/ -ll
- run: pip-audit
- run: detect-secrets scan --all-files

For detailed patterns, see:

VULNERABILITIES.md - Full vulnerability examples
CI_SECURITY.md - Complete CI workflow

Audit Checklist

Code:
- [ ] No SQL injection (parameterized queries)
- [ ] No command injection (no shell=True)
- [ ] No hardcoded secrets
- [ ] No weak crypto (MD5/SHA1)
- [ ] Input validation on external data
- [ ] Path traversal prevention

Dependencies:
- [ ] pip-audit clean
- [ ] Minimal dependencies
- [ ] From trusted sources

CI:
- [ ] Security scan on every PR
- [ ] Weekly dependency scan

Learn More

This skill is based on the Security section of the Guide to Developing High-Quality Python Libraries by Will McGinnis. See these posts for deeper coverage:

このリポジトリの他の Skills

同じリポジトリ

keeping-git-repos-clean

wdm0006/python-skills

Prevents, detects, and remediates files that should never be committed — secrets (.env, API tokens, hardcoded credentials) and dev artifacts (build output, scratch databases, editor/OS files). Covers .gitignore (and why it does not untrack), git rm --cached, auditing tracked files, history scrubbing, and credential rotation. Use when a repo has committed secrets or junk, when setting up a new repo's ignore rules, or when reviewing what a repo actually tracks.

2026-06-1649

designing-python-apis

wdm0006/python-skills

Designs intuitive Python library APIs following principles of simplicity, consistency, and discoverability. Handles API evolution, deprecation, breaking changes, and error handling. Use when designing new library APIs, reviewing existing APIs for improvements, or managing API versioning and deprecations.

2026-04-0249

building-python-clis

wdm0006/python-skills

Builds command-line interfaces for Python libraries using Click or Typer. Includes command groups, argument handling, progress bars, shell completion, and CLI testing with CliRunner. Use when adding CLI functionality to a library or building standalone command-line tools.

2026-04-0249

improving-python-code-quality

wdm0006/python-skills

Improves Python library code quality through ruff linting, mypy type checking, Pythonic idioms, and refactoring. Use when reviewing code for quality issues, adding type hints, configuring static analysis tools, or refactoring Python library code.

2026-04-0249

building-python-communities

wdm0006/python-skills

Builds and manages open source Python library communities including CONTRIBUTING.md, CODE_OF_CONDUCT.md, issue/PR templates, contributor recognition, and GitHub automation. Use when setting up community infrastructure, improving contributor experience, or managing project governance.

2026-04-0249

documenting-python-libraries

wdm0006/python-skills

Creates comprehensive Python library documentation including Google-style docstrings, Sphinx setup, API references, tutorials, and ReadTheDocs configuration. Use when writing docstrings, setting up Sphinx documentation, or creating user guides for Python libraries.

2026-04-0249

name	auditing-python-security
description	Audits Python libraries for security vulnerabilities using Bandit, pip-audit, Semgrep, and detect-secrets. Identifies SQL injection, command injection, hardcoded credentials, weak cryptography, and insecure deserialization. Use when reviewing library security, setting up security scanning in CI, or implementing secure coding patterns.

Python Security Auditing

Quick Start

# Static analysis
bandit -r src/ -ll                    # High severity only
pip-audit                             # Dependency vulnerabilities
detect-secrets scan > .secrets.baseline  # Secrets detection

Tool Configuration

Bandit (.bandit):

exclude_dirs: [tests/, docs/, .venv/]
skips: [B101]  # assert_used - OK in tests

pip-audit:

pip-audit -r requirements.txt         # Scan requirements
pip-audit --fix                       # Auto-fix vulnerabilities

Common Vulnerabilities

Issue	Bandit ID	Fix
SQL injection	B608	Use parameterized queries
Command injection	B602	subprocess without shell=True
Hardcoded secrets	B105, B106	Environment variables
Weak crypto	B303	Use SHA-256+, bcrypt for passwords
Pickle untrusted data	B301	Use JSON instead
Path traversal	B108	Validate with Path.resolve()

Secure Patterns

# SQL - Parameterized query
conn.execute("SELECT * FROM users WHERE id = ?", (user_id,))

# Commands - No shell
subprocess.run(["cat", filename], check=True)

# Secrets - Environment
API_KEY = os.environ.get("API_KEY")

# Paths - Validate
base = Path("/data").resolve()
file_path = (base / filename).resolve()
if not file_path.is_relative_to(base):
    raise ValueError("Invalid path")

CI Integration

# .github/workflows/security.yml
- run: bandit -r src/ -ll
- run: pip-audit
- run: detect-secrets scan --all-files

For detailed patterns, see:

VULNERABILITIES.md - Full vulnerability examples
CI_SECURITY.md - Complete CI workflow

Audit Checklist

Code:
- [ ] No SQL injection (parameterized queries)
- [ ] No command injection (no shell=True)
- [ ] No hardcoded secrets
- [ ] No weak crypto (MD5/SHA1)
- [ ] Input validation on external data
- [ ] Path traversal prevention

Dependencies:
- [ ] pip-audit clean
- [ ] Minimal dependencies
- [ ] From trusted sources

CI:
- [ ] Security scan on every PR
- [ ] Weekly dependency scan

Learn More

This skill is based on the Security section of the Guide to Developing High-Quality Python Libraries by Will McGinnis. See these posts for deeper coverage: