You can get these along with other great open source checks by installing Bento!
$ pip3 install bento-cli
See Bento's README for more details.
List of Checks
This check locates calls to
flask.send_file() which will throw a runtime error.
flask.send_file() throws a
open([filename], [mode]) is passed as the first argument without the either the
attachment_filename keyword arguments.
This check detects calls to
response.set_cookie that do not have
samesite set. This follows the guidance in the Flask documentation.
Flask will not autoescape Jinja templates that do not use
.xhtml as extensions. This check will alert you if you do not have one of these extensions.
flask.jsonify() is a Flask helper method which handles the correct settings for returning JSON from Flask routes. This check catches uses of
json.dumps() returned from Flask routes and encourages
This check recommends using Blueprint when there are too many route handlers in a single file. Blueprint encourages modularity and can greatly simplify how large applications work and provide a central means for Flask extensions to register operations on applications.
JSON Web Tokens (JWT) tokens are used for authentication in web services. Flask packages such as
flask_jwt_simple provide a framework for assigning access tokens and verifying tokens for access to Flask routes. This check catches cases where the authentication decorators may be missing from certain routes and recommends their usage for API data security.
This check discourages hardcoded usages of ENV, DEBUG, TESTING, and SECRET_KEY variables in Flask.
This check detects when the
auth keyword argument is used over
http://, which could expose credentials.
This check finds URLs passed to
requests API methods don't have a URL scheme (e.g., https://), otherwise a
MissingSchema exception will be thrown at runtime.
This check finds
requests methods without a timeout. Without a timeout,
requests will hang forever.
This check looks for hardcoded AWS access tokens used in boto3 API calls.
This check looks for non-literal URLs in
click.launch(), which could direct a browser to a malicious site.
This check makes sure that parameters match in
@click.option and the function definition.