Linting and Security tools for python code

| By Webner

What is a linter?

Linters are the tools that analyze code to detect various categories of lint which help in making code better organized, shows warnings and errors and hence, improves quality. The linters can be broadly categorized as following:

  1. Logical Lint

    • Code errors
    • Code with potentially unintended results
    • Dangerous code patterns
  2. Stylistic Lint

    • Code not conforming to defined convention

There are several linting tools available in the market such as:-

  1. Pylint
  2. Pyflakes
  3. Pycodestyle
  4. Pydocstyle

Flake 8

Flake 8 is a Linting tool that is capable of detecting both logical and stylistic lint. It adds the style and complexity checks of pycodestyle to the logical lint detection of PyFlakes. It combines the following linters:

  • PyFlakes – Checks for logical issues
  • pycodestyle (formerly pep8) – Checks Styling conventions
  • Mccabe – Checks complexity

Reason to choose Flake 8

In comparison with Pylint – one of the oldest and most popular linters available; flake 8 takes a fraction of time that Pylint takes to generate reports. Unlike Pylint it is not complicated, although its reports are very comprehensive and flake 8 provides simplicity with no compromise with useful functionality.
From the Command line, using pip install flake 8. The syntax is as follows:

Pip3 install flake8

You can use linter with any text editor. We’ll be using it with sublime text 3. From the command palette, install two packages; SublimeLinter and SublimeLinter-flake8.
In SublimeLinter user settings make some changes to skip warnings for “over indentation” and “indentation contains tabs”. These in our opinion are futile warnings and you can’t solve them because it creeps in even when a single indentation is given which is required for eg – if statement.

// SublimeLinter Settings - User
"linters": {
// The name of the linter you installed
"filter_errors": ["E117", "W191"],

Here are screenshots using linters in sublime text 3. You can hover over the box or dot to view the error/warning message.

To view all the warnings and errors together, you can run flake8 on a python file from the command line.

The format of the output is as follows:
file path : line number : column number : error code : short description

Prefix for error codes:

  • E***/W***: pep8 errors and warnings
  • F***: PyFlakes codes
  • C9**: McCabe complexity plugin mccabe
  • N8**: Naming Conventions plugin pep8-naming

Note – Here We have used –isolated flag which displays all the error/ warning messages irrespective of the configuration settings. You can use –ignore flag too to ignore certain errors/warnings. Syntax to use ignore flag as follows:

flake8 –ignore W191,E117

Flake8 can display Security warnings too, eg:- S608 Possible SQL injection vector through string-based query construction. S314 Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called.


Although flake 8 provides information on security threats, it is not very detailed and thorough, therefore, we should use some security-specific tool as well, one such tool is Bandit. This tool is used to test for security issues in code. Syntax to install bandit is as follows:

pip3 install flake8-bandit

Flake8 uses the bandit package from PuCQA. Bandit processes each file builds an AST from it and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

To learn more about this tool, read –
Here -r flag means ‘run’. There are other flags and features that you can learn from the above-mentioned links.

Leave a Reply

Your email address will not be published. Required fields are marked *