The Python Static Analyzer Pysa performs taint analysis to identify potential security problems. Pysa traces data streams from their origin to their endpoint and identifies vulnerable code.


Pysa uses two file types for configuration:

  • a taint.config file in JSON format, in which sources, sinks, features and rules are defined.

      "comment": "UserControlled, Test, Demo sources are predefined. Same for Demo, Test and RemoteCodeExecution sinks",
      "sources": [],
      "sinks": [],
      "features": [],
      "rules": []
  • files with the extension .pysa in a directory configured with taint_models_path in your .pyre_configuration file.

You can find practical examples in the Pyre repository.


Pyre can be called, for example with

$ $ pipenv run pyre analyze --save-results-to ./

The --save-results-to option stores detailed results in ./taint-output.json.

Pysa postprozessor#


$ pipenv install fb-sapp


  1. Parsing the JSON file, for example with

    $ pipenv run sapp --database-name sapp.db analyze ./taint-output.json

    The results are stored in the local SQLite file sapp.db.

  2. Exploring the problems with

    $ pipenv run sapp --database-name sapp.db explore

    This starts an IPython interface connected to the SQLite database:


    lists all issues

    issue 1

    selects the first issue


    shows the data flow from source to sink


    jumps to the next call


    shows the source code of the call

    jump 1

    jumps to the first call and shows the source code

Further commands can be found in the SAPP Command-Line Interface.