<img width="2048" height="681" alt="image" src="https://github.com/user-attachments/assets/0093a5d2-d1c9-45dd-b129-2de196f3be1f" />

High-Performance Python/Rust Graph-Based SAST Framework

PySpector is a State-of-the-Art Static Analysis Security Testing (SAST) framework, built in Rust for next-gen performances, made for modern Python projects and large codebases. Unlike traditional linters, PySpector utilizes a Flow-Sensitive, Inter-Procedural Taint Engine to track untrusted data across complex function boundaries and control flow structures.

By compiling the core analysis engine to a native binary, PySpector avoids the performance limitations of traditional Python-only tools. This makes it well-suited for CI/CD pipelines and local development environments where speed and scalability matter.

PySpector is designed to be both comprehensive and intuitive, offering a multi-layered analysis approach that goes beyond simple pattern matching to understand the structure and data flow of your Python application.

Table of Contents

• Quick Demo
• Getting Started
• Key Features
• Core Engine Architecture
• How It Works
• Performance Benchmarks
• Usage
• Plugin System
• Triaging and Baselining
• Automation and Integration
• SARIF Output and Security Tool Integration

Quick Demo

https://github.com/user-attachments/assets/0fe03961-0b62-4964-83ba-849f2357efba

Getting Started

Prerequisites

• Python: Python 3.9 – 3.12 supported (Python 3.9 or newer, up to 3.12).
• Rust: The Rust compiler (rustc) and Cargo package manager are required. You can easily install the Rust toolchain via rustup and verify your installation by running cargo --version.

Installation

It is highly recommended to install PySpector in a dedicated Python 3.12 venv.

Create a Virtual Environment:

• Linux (Bash):

  # Download Python 3.12
  python3.12 -m venv venv
  source venv/bin/activate
  

• Windows (PowerShell):

  # Download Python 3.12 from the Microsoft Store and run:
  python3.12 -m venv venv
  .\venv\Scripts\Activate.ps1
  # or, depending on the Python 3.12 installation source:
  .\venv\bin\Activate.ps1
  

With PySpector now officially on PyPI🎉, installation is as simple as running:

pip install pyspector

Key Features

• Flow-Sensitive Analysis: Utilizes a Control Flow Graph (CFG) to track variable states sequentially, accurately distinguishing between safe and vulnerable code paths.

• Inter-Procedural Taint Tracking: Propagates untrusted data across function boundaries using global fixed-point iteration and function summaries.

• Context-Aware Summaries: Sophisticated mapping of which function parameters flow to return values, allowing for high-precision tracking through complex utility functions.

• Multi-Engine Hybrid Scanning:

  • Regex Engine: High-speed scanning for secrets, hardcoded credentials, and configuration errors.

  • AST Engine: Deep structural pattern matching to find Python-specific anti-patterns.

  • Graph Engine: Advanced CFG and Call-Graph-based data flow analysis for complex vulnerability chains.

• Fastest Market Performances: Core analysis engine implemented in Rust with Rayon for multi-threaded parallelization (allowing PySpector to scan 71% faster than Bandit, and 16.6x faster than Semgrep).

• AI-Agent Security: Specialized rulesets designed to identify prompt injection, insecure tool use, and data leakage in LLM-integrated Python applications.

Core Engine Architecture

PySpector v0.1.5 represents a shift from partially-static pattern matching, to a full graph-based analysis engine:

1. AST Parsing: Python source is converted into a structured JSON AST, for semantic analysis.
2. Call Graph Construction: PySpector builds a project-wide map of function definitions, and call sites to enable cross-file analysis.
3. CFG Generation: Each function is decomposed into a Control Flow Graph (CFG), allowing the engine to understand the order of operations and conditional Python logic.
4. Fixed-Point Taint Propagation: Using a Worklist Algorithm, the engine propagates "taint" from defined Sources to Sinks, while respecting Sanitizers that clean the data along the way.

How It Works

PySpector's hybrid architecture is key to its performance and effectiveness.

• Python CLI Orchestration: The process begins with the Python-based CLI. It handles command-line arguments, loads the configuration and rules, and prepares the target files for analysis. For each Python file, it uses the native ast module to generate an Abstract Syntax Tree, which is then serialized to JSON.

• Invocation of the Rust Core: The serialized ASTs, along with the ruleset and configuration, are passed to the compiled Rust core. The handoff from Python to Rust is managed by the pyo3 library.

• Parallel Analysis in Rust: The Rust engine takes over and performs the heavy lifting. It leverages the rayon crate to execute file scans and analysis in parallel, maximizing the use of available CPU cores. It builds a complete call graph of the application to understand inter-file function calls, which is essential for the taint analysis module.

• Results and Reporting: Once the analysis is complete,