How do I automatically identify crypto best practices in python code

You could create a small database or dictionary ('library name' : [method1, method2]) of popular crypto libraries and from those libraries, the methods which are attributed to insecure use cases.

Then you would first search to see if the library (key) is infact being used by the project and if its also using insecure methods (value). You wouldn't need to use regex, just think of how you would search for a single string in a text file. But if you wanted efficiency, it might be recommended :) and something fun to develop, that's just my thoughts.

You could however use Sonarqube and integrate that into your build pipeline, it supports python and I know first hand it checks for weak crypto usage within C# projects, it's free and completely automated so it's perfect for small/large teams :)

https://www.sonarqube.org

Good luck buddy!


First I would like to rephrase. You need static analysis tool that will do some custom checks, like for security problems.

I would start with pylint, with its extensions. There is sample checker at github. Good point here is that, you can incorporate that into CI/CD tools without much work. Issue here can be that linker can be informed not to treat something as a problem. On one hand that is perfect, since md5 can be used in some areas, but that can lead to having that leak... Looking that way - all you can do is to inform.

Other option is security checker that is able to deal with python code. I'm using lynis at my server. They are using plain Linux shell. In practice you can grep python code to see if something is fishy there. I would advise to go there and check what they are looking for, and how it is done. If not to go that way - than maybe for inspiration. False-positives should be also addressed here. So question is if you wish to deal with it for your own, or you really on developers...

I would start with some checks - like that md5/sha1, and then expand. Be sure it is clear what is checked, and what is wrong. That looks really tricky, but I would give it a try. Maybe open source extension to pylint, on github? That way you can get support from others! If so - let me know :)