Fast, deterministic security scanner powered by AST analysis. 24 detection rules with framework-specific checks for Django, Flask, and FastAPI.
View Full Transparency Report →
$ pip install mikmbr
$ mikmbr scan .
Found 3 security issue(s):
[HIGH] src/app.py:12
Rule: DANGEROUS_EXEC
CWE: CWE-95
OWASP: A03:2021 - Injection
Issue: Use of eval() allows arbitrary code execution25+ security rules covering SQL injection, command injection, hardcoded secrets, SSRF, template injection, plus framework-specific checks for Django, Flask, and FastAPI.
Built on Python AST analysis. Scans typical repositories in seconds with zero false positives.
YAML-based configuration for custom rules, severity levels, and output formats. Perfect for CI/CD.
Three-layer detection: 12+ known patterns (AWS, GitHub), entropy analysis, and variable name detection.
Runs entirely offline. Your code never leaves your machine. No cloud required.
Every finding includes CWE/OWASP references, detailed explanations, and fix suggestions.
pip install mikmbr
mikmbr scan .
mikmbr scan . --verbose
mikmbr scan . --format json
mikmbr scan . --config .mikmbr.yaml
Comprehensive coverage of OWASP Top 10 2021 + Framework-Specific Checks
Detects SSTI vulnerabilities in Jinja2, Mako, Django templates
CWE-94String concatenation, f-strings, unsafe ORM queries
CWE-89os.system(), subprocess with shell=True
CWE-78Smart detection: patterns, entropy, variable names
CWE-798Server-Side Request Forgery in requests, urllib
CWE-918Unvalidated redirects in Flask, Django, FastAPI
CWE-601Non-constant-time password/token comparisons
CWE-208Unsanitized user input in logging statements
CWE-117Dependency vulnerability scanning with OSV database
Detect vulnerabilities in third-party packages with --check-deps:
mikmbr scan . --check-deps
Scans requirements.txt and pyproject.toml against OSV database for known CVEs.
Skip code analysis with --deps-only:
mikmbr scan . --deps-only
Fast dependency-only scans for CI/CD pipelines.
Powered by Google's Open Source Vulnerabilities database.
Features: CVE mapping, CVSS scores, fix recommendations
CI/CD control and better developer experience
Control when builds fail with --fail-on: Perfect for gradual security adoption.
See surrounding code with --context N: Understand issues without opening files.
New severity level for immediate RCE threats. 4 levels: CRITICAL, HIGH, MEDIUM, LOW
Framework-specific rules and GitHub integration
Django (6 rules) - Raw SQL, mark_safe(), DEBUG=True, SECRET_KEY
Flask (6 rules) - send_file(), SSTI, debug mode, cookie security
FastAPI (5 rules) - Input validation, path traversal, CORS
Mark false positives with comments:
# mikmbr: ignore[RULE_ID]
SARIF output format for native GitHub integration:
mikmbr scan . --format sarif
Catch vulnerabilities before they reach production. Integrate into your IDE or pre-commit hooks.
Enforce security standards across your codebase. Configure rules per project.
Automated security scanning in GitHub Actions, GitLab CI, Jenkins. Fail builds on critical issues.
Learn secure coding practices. Each finding includes CWE/OWASP references and fix suggestions.
Free, open source, and runs entirely offline.
pip install mikmbr && mikmbr scan .