{"id":51036333,"url":"https://github.com/execveat/flawed","last_synced_at":"2026-06-22T06:32:25.634Z","repository":{"id":363001598,"uuid":"1261582178","full_name":"execveat/flawed","owner":"execveat","description":"Static analysis engine for Python web-applications","archived":false,"fork":false,"pushed_at":"2026-06-06T23:18:03.000Z","size":1689,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-07T00:17:35.145Z","etag":null,"topics":["security","security-tools","static-analysis","taint-analysis"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/execveat.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-06-06T22:12:11.000Z","updated_at":"2026-06-07T00:05:01.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/execveat/flawed","commit_stats":null,"previous_names":["execveat/flawed"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/execveat/flawed","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/execveat%2Fflawed","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/execveat%2Fflawed/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/execveat%2Fflawed/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/execveat%2Fflawed/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/execveat","download_url":"https://codeload.github.com/execveat/flawed/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/execveat%2Fflawed/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34637937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-22T02:00:06.391Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","security-tools","static-analysis","taint-analysis"],"created_at":"2026-06-22T06:32:25.530Z","updated_at":"2026-06-22T06:32:25.628Z","avatar_url":"https://github.com/execveat.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# flawed\n\nA static-analysis engine for Python web applications. flawed builds a\nframework-aware model of a Python web app — its routes, request inputs, state\neffects, call graph, and value flow — and exposes that model as a Python library\nand a command-line tool.\n\n## Python API\n\nThe top-level `flawed` package is the analysis API — the same surface the\nbundled rules are built on, usable directly from a REPL or a script.\n`open_repo()` loads a repository's model:\n\n```python\nfrom flawed import open_repo\nfrom flawed.route import POST\n\nrepo = open_repo(\"path/to/app\")          # build (or load cached) the model\nrepo.routes                              # RouteCollection(75) [Route(GET / → index, …), …]\nrepo.routes.count_by(lambda r: \"/\".join(sorted(m.name for m in r.methods)))\n                                         # Counter({'GET': 35, 'POST': 28, 'GET/POST': 12, ...})\n\n# Which POST routes write state but declare no guard in their handler stack?\nfor route in repo.routes.accepting(POST):\n    if route.reachable.effects() and not route.full_stack.checks():\n        print(route)\n```\n\n`load_findings()` is its mirror image — comb through a scan you already ran:\n\n```python\nfrom flawed import load_findings\n\nfindings = load_findings(\"scan.json\")               # a --json or --sarif capture\nfindings.count_by(\"rule_id\").most_common(5)         # which rules fired most\nfindings.min_severity(\"high\").in_dir(\"auth/\")       # high-sev findings under auth/\nfindings.diff(load_findings(\"baseline.json\")).added # new findings vs a baseline\n```\n\nBoth return immutable, chainable collections (`group_by` / `count_by` /\n`tabulate` / `|` / slicing). See [Python API](docs/python-api.md) for the full\nsurface.\n\n## Command line\n\nflawed is also a command-line scanner that runs rule modules over a repository:\n\n```bash\nflawed                       # orientation dashboard (does not scan)\nflawed .                     # scan the current directory\nflawed scan path/to/repo     # scan a repository: L1 index + L2 semantic + L3 rules\nflawed scan . --rules-dir ./my_rules   # run your own rule modules instead of the built-ins\n```\n\nFindings stream to **stdout**, progress and diagnostics to **stderr**. See\n[CLI](docs/cli.md) for output formats (`--json`, `--sarif`), exit codes,\nbaseline diffing, and the full command list.\n\n## Documentation\n\nEnd-user docs live in [`docs/`](docs/):\n\n- **[Writing rules](docs/writing-rules.md)** — the rule-authoring guide: the\n  `@detector` contract, the objects a rule navigates, and running your own rules\n  with `--rules-dir`.\n- **[The analysis model](docs/analysis-model.md)** — what the engine models\n  (routes, inputs, effects, call graph, value flow) and how to think about it.\n- **[CLI](docs/cli.md)** — running scans, output formats, and configuration.\n- **[Python API](docs/python-api.md)** — querying the model interactively from a\n  REPL or script.\n- **[Provider authoring](docs/provider-authoring.md)** — teaching the engine a\n  new framework so your rules see its routes, inputs, and effects.\n\n## Setup\n\nflawed uses `mise` for project tools and task entry points, and `uv` for Python\ndependency resolution.\n\n```bash\nmise install   # Python + uv, pinned in mise.toml\nmise deps      # uv sync --all-extras\n```\n\n### Development\n\n```bash\nmise run install-hooks         # install the version-controlled pre-commit gate\nmise run check                 # full gate: lockfile + lint + format + mypy + layers + framework/dep/subprocess checks + tests\nmise run check -- PATH...      # scope the gate to specific files or directories\nmise run test                  # run affected tests (testmon)\nmise run test -- tests/unit/   # scope tests to a directory or file\n```\n\nThe pre-commit hook is tracked at `tools/hooks/pre-commit`; `mise run\ninstall-hooks` copies it into the repository's git hooks directory (idempotent,\nand worktree-aware). Edit the tracked file and reinstall — never edit the copy\nunder `.git/hooks/` directly.\n\n## Configuration\n\nGlobal config: `~/.config/flawed/config.yaml`\n\n```yaml\ndata_dir: \u003cpath\u003e          # where L1 cache artifacts are stored\nrepo_local: false         # true = store cache next to each repo\nobservability_enabled: true   # local run/scan metrics; set false to opt out\ntype_enrichment:\n  enable_mypy_batch: false  # opt-in experimental mypy oracle\n```\n\nBy default each scan appends local observability records — a `runs.jsonl` plus a\nper-repo `scan_metrics.jsonl` under the data dir. These are written **locally\nonly** (no network, no telemetry); set `observability_enabled: false` to turn\nthem off.\n\nPer-repo cache uses `\u003cdata_dir\u003e/owner__name/` layout. The index is cached after\nthe first run; subsequent scans skip L1 extraction.\n\n## License\n\nflawed is released under the [Apache License 2.0](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexecveat%2Fflawed","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexecveat%2Fflawed","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexecveat%2Fflawed/lists"}