DEV Community

ShiftLeft profile image Vickie Li
Vickie Li for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

Static Analysis of Python Applications

#sast #softwareengineering #appsec #shiftleft

We are pleased to announce that we have updated NG SAST to use the CPG deep analyzer for the analysis of Python applications!

Python applications and the vulnerabilities they contain

As of 2020, Python was the third most popular programming language in use. Python was originally released in 1991, and since then, Python’s been used in machine learning, business intelligence, natural language processing, web development, and more.

Python is used by companies both small and large, and while this language isn’t known for causing security issues the way C or C++ is, Python applications still come with their fair share of security vulnerabilities (just as any other programming language would!).

Detecting vulnerabilities in Python applications with a SAST solution

SAST solutions are useful for detecting the presence of vulnerabilities in an application. They are less expensive than having a security engineer manually review your code, but they’re more comprehensive than a bug bounty program.

The downside, however, is that many tools present unacceptably high levels of false positives (findings that are presented as security vulnerabilities when they’re not) and false negatives (security vulnerabilities that aren’t identified). This is typically a result of only looking at the source code of a program at a superficial level.

Improving SAST results

SAST programs can improve the results it presents by looking at multiple aspects of a program. By storing multiple representations of an application in a data structure, a SAST solution can gain additional information about what’s present and what’s not. Traditionally, there have been three data structures commonly used for static code analysis:

  1. Abstract syntax trees: encodes the general structure of a program
  2. Control-flow graphs: encodes the paths of execution in a program
  3. Data-flow graphs: encodes the flow of data from one part of the program to another

ShiftLeft CORE leverages all three, combining them into a single data structure called the Code Property Graph.

The Code Property Graph (CPG) is a data structure that’s designed for vulnerability discovery. It stores multiple representations of the same program, all of which contribute to the precise detection of security flaws, minimizing false positives and false negatives.

Getting Started

Ready to see how secure (or not) your Python application is? Sign up for a free account and get started with ShiftLeft CORE today!

Pulumi
 Promoted

Image of PulumiUP 2025

Explore What’s Next in DevOps, IaC, and Security

Join us for demos, and learn trends, best practices, and lessons learned in Platform Engineering & DevOps, Cloud and IaC, and Security.

Save Your Spot

Top comments (0)

👋 Kindness is contagious

Explore a trove of insights in this engaging article, celebrated within our welcoming DEV Community. Developers from every background are invited to join and enhance our shared wisdom.

A genuine "thank you" can truly uplift someone’s day. Feel free to express your gratitude in the comments below!

On DEV, our collective exchange of knowledge lightens the road ahead and strengthens our community bonds. Found something valuable here? A small thank you to the author can make a big difference.

Okay