🔱 Building Netra Security: Creating a Python-Based Static Application Security Testing (SAST) Tool
As a cybersecurity student, I've always been curious about how tools like SonarQube, Semgrep, and other Static Application Security Testing (SAST) platforms identify vulnerabilities before software reaches production.
Instead of just learning how to use these tools, I wanted to understand how they work internally. That curiosity led me to build Netra Security, a lightweight SAST platform developed using Python.
In this article, I'll share the motivation behind the project, how it works, and what I learned while building it.
What is Netra Security?
Netra Security is a Python-based static code analysis tool designed to identify common security vulnerabilities directly from source code.
The name Netra is inspired by the concept of the "third eye," representing the ability to detect hidden security issues before they become exploitable vulnerabilities.
The goal was not to create a replacement for enterprise security scanners but to learn the fundamentals of:
- Static code analysis
- Secure coding practices
- Vulnerability detection
- Abstract Syntax Tree (AST) analysis
- Security tooling development
The Problem
Many security vulnerabilities are introduced during development.
Common examples include:
os.system(user_input)
eval(user_input)
exec(user_input)
pickle.loads(user_data)
subprocess.run(user_input, shell=True)
These patterns can lead to:
- Command Injection
- Code Injection
- Arbitrary Code Execution
- Insecure Deserialization
The idea behind Netra Security is simple:
Detect insecure coding patterns before they become security incidents.
Version 1: Rule-Based Detection
The first version of Netra Security relied on string matching and regular expressions.
Example rule:
{
"id": "NETRA-001",
"pattern": "os.system(",
"issue": "Command Injection",
"severity": "CRITICAL"
}
The scanner reads source code line by line and checks whether dangerous patterns appear.
This approach was easy to implement and worked surprisingly well for basic detection.
However, it had a major problem.
False Positives
Consider:
message = "Never use eval() in production"
A simple string scanner would incorrectly flag this as a vulnerability even though it is only text.
This limitation motivated the next step.
Introducing AST Analysis
Python provides a built-in module called ast (Abstract Syntax Tree).
AST converts source code into a tree structure that represents the actual logic of the program.
For example:
os.system(user)
becomes a function call node.
Instead of searching for text, we can inspect the code structure itself.
Example:
for node in ast.walk(tree):
if isinstance(node, ast.Call):
if isinstance(node.func, ast.Attribute):
if node.func.attr == "system":
print("Command Injection Risk")
This significantly reduces false positives and provides more reliable results.
Vulnerabilities Currently Detected
Netra Security currently detects:
| ID | Vulnerability | Severity |
|---|---|---|
| NETRA-001 | Command Injection | Critical |
| NETRA-002 | Code Injection | Critical |
| NETRA-003 | Hardcoded Password | High |
| NETRA-004 | Hardcoded API Key | High |
| NETRA-005 | Arbitrary Code Execution | Critical |
| NETRA-006 | Insecure Deserialization | High |
| NETRA-007 | Dangerous Subprocess Usage | High |
Each finding includes:
- Rule ID
- Severity
- Line Number
- Vulnerable Code
- Remediation Recommendation
Sample Output
=== NETRA SECURITY REPORT ===
Total Findings: 5
ID : NETRA-001
Severity : CRITICAL
Issue : Command Injection
Line : 13
Code : os.system(user)
Fix : Use subprocess.run(..., shell=False)
Lessons Learned
Building Netra Security taught me several important concepts:
Static Analysis Is More Complex Than It Looks
Initially, I assumed security scanning was mostly pattern matching.
In reality, reducing false positives is one of the hardest challenges.
AST Is Extremely Powerful
AST enables analysis based on code behavior rather than raw text.
This is how many professional security tools achieve better accuracy.
Security and Development Are Closely Connected
Developers who understand security can prevent many vulnerabilities before they reach production.
Future Improvements
The project is still evolving.
Planned features include:
- Additional OWASP Top 10 checks
- Multi-file project scanning
- Folder-level analysis
- Web-based dashboard using Flask
- JSON and CSV report exports
- Risk scoring engine
- CI/CD integration
- GitHub repository scanning
Final Thoughts
Building Netra Security gave me a much deeper understanding of how static analysis tools work and how vulnerabilities can be detected before software is deployed.
The project started as a simple pattern-matching scanner and gradually evolved into an AST-powered security analysis engine.
There is still a long way to go, but that's what makes cybersecurity and software engineering exciting—there is always something new to learn and improve.
If you're learning Python, cybersecurity, or application security, I highly recommend building your own security tools. You'll learn far more than simply using existing ones.
Thanks for reading!
GitHub Repository:
Netra-security
Top comments (0)