PySpector is a State-of-the-Art Static Analysis Security Testing (SAST) framework, built in Rust for next-gen performances, made for modern Python projects and large codebases. Unlike traditional linters, PySpector utilizes a Flow-Sensitive, Inter-Procedural Taint Engine to track untrusted data across complex function boundaries and control flow structures.
By compiling the core analysis engine to a native binary, PySpector avoids the performance limitations of traditional Python-only tools. This makes it well-suited for CI/CD pipelines and local development environments where speed and scalability matter.
PySpector is designed to be both comprehensive and intuitive, offering a multi-layered analysis approach that goes beyond simple pattern matching to understand the structure and data flow of your Python application.
https://github.com/user-attachments/assets/0fe03961-0b62-4964-83ba-849f2357efba
rustc) and Cargo package manager are required. You can easily install the Rust toolchain via rustup and verify your installation by running cargo --version.It is highly recommended to install PySpector in a dedicated Python 3.14 venv.
bash
# Download Python 3.14
python3.14 -m venv venv
source venv/bin/activate
powershell
# Download Python 3.14 from the Microsoft Store and run:
python3.14 -m venv venv
.\venv\Scripts\Activate.ps1
# or, depending on the Python 3.14 installation source:
.\venv\bin\Activate.ps1
With PySpector now officially on PyPI🎉, installation is as simple as running:
pip install pyspector
Flow-Sensitive Analysis: Utilizes a Control Flow Graph (CFG) to track variable states sequentially, accurately distinguishing between safe and vulnerable code paths.
Inter-Procedural Taint Tracking: Propagates untrusted data across function boundaries using global fixed-point iteration and function summaries.
Context-Aware Summaries: Sophisticated mapping of which function parameters flow to return values, allowing for high-precision tracking through complex utility functions.
Multi-Engine Hybrid Scanning:
Regex Engine: High-speed scanning for secrets, hardcoded credentials, and configuration errors.
AST Engine: Deep structural pattern matching to find Python-specific anti-patterns.
Graph Engine: Advanced CFG and Call-Graph-based data flow analysis for complex vulnerability chains.
Fastest Market Performances: Core analysis engine implemented in Rust with Rayon for multi-threaded parallelization (allowing PySpector to scan 71% faster than Bandit, and 16.6x faster than Semgrep).
AI-Agent Security: Specialized rulesets designed to identify prompt injection, insecure tool use, and data leakage in LLM-integrated Python applications.
PySpector v0.1.5 represents a shift from partially-static pattern matching, to a full graph-based analysis engine:
PySpector's hybrid architecture is key to its performance and effectiveness.
Python CLI Orchestration: The process begins with the Python-based CLI. It handles command-line arguments, loads the configuration and rules, and prepares the target files for analysis. For each Python file, it uses the native ast module to generate an Abstract Syntax Tree, which is then serialized to JSON.
Invocation of the Rust Core: The serialized ASTs, along with the ruleset and configuration, are passed to the compiled Rust core. The handoff from Python to Rust is managed by the pyo3 library.
Parallel Analysis in Rust: The Rust engine takes over and performs the heavy lifting. It leverages the rayon crate to execute file scans and analysis in parallel, maximizing the use of available CPU cores. It builds a complete call graph of the application to understand inter-file function calls, which is essential for the taint analysis module.
Results and Reporting: Once the analysis is complete, the Rust core returns a structured list of findings to the Python CLI. The Python wrapper then handles the final steps of filtering the results based on the severity threshold and the baseline file, and generating the report in the user-specified format.
This architecture combines the best of both worlds: a flexible, user-friendly interface in Python and a high-performance, memory-safe analysis engine in Rust :)
Performance benchmarks demonstrate PySpector's competitive advantages in SAST scanning speed while maintaining comprehensive security analysis.
Performance benchmarks were executed in a deterministic and controlled environment using automated stress-testing scripts, ensuring repeatable and unbiased measurements
| Metric | PySpector | Bandit | Semgrep |
|---|---|---|---|
| Throughput | 25,607 lines/sec | 14,927 lines/sec | 1,538 lines/sec |
| Performance Advantage | 71% faster than Bandit | Baseline | 16.6x slower |
| Memory Usage | 1.4 GB average | 111 MB average | 277 MB average |
| CPU Utilization | 120% (multi-core) | 100% (single-core) | 40% |
Performance testing conducted on:
Benchmark data available in the project repository for transparency and reproducibility.
PySpector is operated through a straightforward command-line interface.
The primary command is scan, which can target a local file, a directory, or even a remote Git repository.
pyspector scan [PATH or --url REPO_URL] [OPTIONS]
pyspector scan /path/to/your/project
pyspector scan /path/to/your/project -o report.html -f html
pyspector scan --url https://github.com/username/repo.git
--wizard flag to enter the guided scan mode, perfect for 1st time users and beginners or students:pyspector scan --wizard
The watch command continuously monitors a directory or file and re-runs the scan whenever a .py file is created, modified, or deleted, ideal for real-time feedback during development.
```bash pyspector watch [PATH]
$ claude mcp add PySpector \
-- python -m otcore.mcp_server <graph>