Free, Apache-2.0, and built for
local taint analysis.

scanipy is a local, private, taint-tracking SAST for Python. It follows untrusted data from a source through your code to a dangerous sink and reports the data-flow witness behind every finding — not just a pattern match. Same class-specific philosophy as the platform, packaged for one developer on one laptop.

scanipy/scanipy-oss·1
install (from source)
git clone https://github.com/scanipy/scanipy-oss
cd scanipy-oss && pip install -e .
View on GitHub

What it does.

Most free scanners pattern-match — they flag any os.system(...) they see, whether or not attacker-controlled data can reach it. That means noise.

scanipy does taint tracking instead: it follows untrusted data from sources (like input() or a web request) to dangerous sinks (an OS command, a SQL query), and shows the source → … → sink trace. Sanitizers on the path suppress the finding.

Seven detectors ship today — OS command, SQL, and code injection, path traversal, SSRF, unsafe deserialization, and XXE — and run with zero config. The OSS engine is intra-file and Python-only by design.

Real proof.

A two-line program where input() flows into os.system with no sanitizer. Here is the exact output scanipy scan prints — the witness trace shows the source → sink path:

verified output (checked byte-for-byte by the test suite)
$ scanipy scan tests/fixtures/python/vulnerable/os-command.py
HIGH python.injection.os-command [CWE-78] tests/fixtures/python/vulnerable/os-command.py:10:4
    Untrusted input reaches an OS command without sanitization, allowing an attacker to execute arbitrary commands. Prefer a list argv with shell=False, or quote inputs with shlex.quote.

    - source: tests/fixtures/python/vulnerable/os-command.py:9:11  source input
    - sink: tests/fixtures/python/vulnerable/os-command.py:10:4  sink os.system

1 finding.

The process exits 1 when a finding meets the failure gate; the sanitized counterpart produces nothing. The full walkthrough is in the end-to-end example.

Quick start.

install (Python 3.10+, from source)
git clone https://github.com/scanipy/scanipy-oss
cd scanipy-oss
pip install -e .          # the installed command is `scanipy`
scan
scanipy scan .            # scan the current project
scanipy scan app.py       # scan a single file
scanipy rules list        # list the bundled detectors

Read the full usage guide

CLI or platform.

Honest split. The CLI is the free taste; the platform is the full meal.

Reach for the CLI when

  • You want fast, local, private taint analysis on your own Python code — nothing leaves your machine.
  • You want witness-backed findings: every result shows the source → … → sink path.
  • Zero-config built-in detectors are enough — or you’re happy writing your own in YAML.
  • You don’t need cross-file analysis, multi-repo baselines, or audit logs.

Reach for the platform when

  • You need multi-language, interprocedural, cross-file taint analysis.
  • You’re scanning many private repos at org scale, across heterogeneous SCMs.
  • You want finding deduplication, baselines, and suppression across repositories.
  • You need pull-request / CI integration and auditable provenance.

Need org-scale, multi-language, cross-file scanning? See the platform