This page lists every security and quality rule configured on this server, with its current enabled/disabled status and whether developers may skip it during upload. The table is generated live from the database — administrators can modify rule settings at any time.
Total Rules
205
Active
129
Skippable
61
Disabled
76
Categories
4
Rule sources: Bandit · detect-secrets · flake8
No rules match the current filter.
| Code | Rule Name | Description | Severity | Active | Skippable |
|---|---|---|---|---|---|
B102
|
Exec used | Use of exec() detected. exec() can execute arbitrary code and is a common vector for code injection attacks. | Critical | ||
B103
|
Set bad file permissions | Possible insecure use of chmod() setting overly permissive file or directory permissions (world-writable or setuid/setgid). | Critical | ||
B105
|
Hardcoded password string | Possible hardcoded password string detected. Hardcoded credentials are a critical security risk in distributed plugins and can be extracted by end users. | Critical | ||
B106
|
Hardcoded password function argument | Possible hardcoded password in a function argument. Hardcoded credentials are a critical security risk in distributed plugins and can be extracted by end users. | Critical | ||
B107
|
Hardcoded password default | Possible hardcoded password in a function default argument. Hardcoded credentials are a critical security risk in distributed plugins and can be extracted by end users. | Critical | ||
B111
|
Execute with run_as_root=True | Executing code with run_as_root=True can lead to privilege escalation vulnerabilities if the plugin is used in a privileged context. | Critical | ||
B201
|
Flask debug=True | Flask app running with debug=True exposes an interactive Werkzeug debugger that allows arbitrary code execution by anyone who can reach the server. | Critical | ||
B202
|
Tarfile unsafe members | tarfile.extractall() called without a filter may allow path traversal (zip-slip) attacks, potentially overwriting arbitrary files outside the extraction directory. | Critical | ||
B301
|
Pickle usage | Use of pickle/cPickle can lead to arbitrary code execution when deserialising untrusted data. Never unpickle data from an untrusted source. | Critical | ||
B302
|
Marshal usage | Use of the marshal module can lead to arbitrary code execution when deserialising untrusted data. Never unmarshal data from an untrusted source. | Critical | ||
B304
|
Insecure cipher | Use of an insecure cipher algorithm (e.g. DES, RC4, Blowfish). Use AES-256-GCM or ChaCha20-Poly1305 instead. | Critical | ||
B305
|
Insecure cipher mode | Use of an insecure cipher mode (e.g. ECB). ECB mode is deterministic and leaks patterns. Use GCM or CBC with proper padding. | Critical | ||
B306
|
Insecure mktemp | Use of insecure tempfile.mktemp(). A race condition (TOCTOU) exists between file name creation and file open, allowing an attacker to substitute the file. | Critical | ||
B307
|
Eval used | Use of eval() is dangerous and a common code injection vector. Avoid eval(); if required, ensure input is strictly controlled and never user-supplied. | Critical | ||
B312
|
Telnetlib usage | Use of telnetlib detected. Telnet transmits all data, including credentials, in plaintext and is inherently insecure. Use SSH instead. | Critical | ||
B321
|
FTP usage | Use of ftplib detected. FTP transmits credentials and data in plaintext and is inherently insecure. Use SFTP or FTPS instead. | Critical | ||
B323
|
Unverified SSL context | SSL/TLS context created with certificate verification disabled. This allows man-in-the-middle attacks where traffic can be intercepted and decrypted. | Critical | ||
B401
|
Import telnetlib | Import of telnetlib module. Telnet is an insecure protocol that transmits all data including credentials in cleartext. | Critical | ||
B402
|
Import ftplib | Import of ftplib module. FTP is an insecure protocol that transmits credentials in cleartext. | Critical | ||
B412
|
Import httpoxy vulnerable module | Import of a module known to be vulnerable to the httpoxy attack, which hijacks HTTP requests by abusing the HTTP_PROXY environment variable. | Critical | ||
B413
|
Import pycrypto | Import of pycrypto, which is unmaintained and has known unpatched vulnerabilities. Replace with the actively maintained cryptography package. | Critical | ||
B501
|
Request with no cert validation | HTTP request made with SSL certificate verification disabled (verify=False). This enables man-in-the-middle attacks where traffic can be intercepted. | Critical | ||
B502
|
SSL with bad version | Use of an insecure SSL/TLS protocol version (SSLv2, SSLv3, TLSv1.0, or TLSv1.1). All of these have known vulnerabilities. Use TLSv1.2 or higher. | Critical | ||
B503
|
SSL with bad defaults | SSL/TLS context created with insecure default settings such as disabled verification or weak cipher suites. | Critical | ||
B505
|
Weak cryptographic key | Weak cryptographic key detected (e.g. RSA < 2048 bits, DSA < 2048 bits, EC < 224 bits). Minimum recommended sizes are RSA 2048, EC 256. | Critical | ||
B506
|
yaml.load() used | Use of yaml.load() with an arbitrary Loader can execute arbitrary Python code embedded in the YAML. Use yaml.safe_load() instead. | Critical | ||
B507
|
SSH no host key verification | SSH connection made with host key verification disabled (AutoAddPolicy or RejectPolicy removed). This allows man-in-the-middle attacks. | Critical | ||
B601
|
Paramiko shell=True | Paramiko SSH call with shell=True executes commands via a remote shell, enabling shell injection if any part of the command comes from untrusted input. | Critical | ||
B602
|
subprocess.Popen with shell=True | subprocess.Popen() called with shell=True. Shell injection is possible if any part of the command string comes from user input. Pass arguments as a list with shell=False. | Critical | ||
B604
|
Function call with shell=True | A non-subprocess function was called with shell=True. Shell injection is possible if user-controlled data is involved. | Critical | ||
B605
|
Start process with a shell | Starting a process using a shell (os.system, os.popen, etc.). Shell injection is possible if any user-controlled input forms part of the command. | Critical | ||
B609
|
Linux wildcard injection | Possible wildcard injection in a Linux shell command (e.g. tar, find, chown with *). Unquoted wildcards can be exploited to run attacker-controlled filenames as arguments. | Critical | ||
B610
|
Django extra() used | Use of Django QuerySet.extra() with raw SQL may lead to SQL injection if any argument contains user-controlled data. | Critical | ||
B611
|
Django RawSQL used | Use of Django RawSQL() may lead to SQL injection if the query string contains user-controlled data. | Critical | ||
B612
|
Logging config insecure listen | logging.config.listen() opens a network socket that can receive and execute arbitrary Python logging configuration. This is a remote code execution risk. | Critical | ||
B613
|
Trojan Source | Unicode bidirectional control characters detected in source code. These can be used to create Trojan Source attacks where code appears different to human reviewers than to the Python interpreter. | Critical | ||
B615
|
HuggingFace unsafe download | Downloading models from HuggingFace without verification can lead to arbitrary code execution via unsafe pickle-based model formats if trust_remote_code=True is set. | Critical | ||
B701
|
Jinja2 autoescape=False | Jinja2 template engine configured with autoescape=False. This disables automatic HTML escaping and will lead to XSS vulnerabilities if any user input is rendered in templates. | Critical | ||
B101
|
Assert used | Use of assert detected. Assert statements are removed when Python is run in optimised mode (-O), potentially bypassing security-relevant checks. | Warning | ||
B104
|
Hardcoded bind all interfaces | Possible binding to all network interfaces (0.0.0.0), which may expose services beyond the intended network boundary. | Warning | ||
B108
|
Hardcoded temp directory | Probable insecure usage of a temporary file or directory. Using predictable temp paths can lead to TOCTOU (time-of-check/time-of-use) and symlink attacks. | Warning | ||
B110
|
Try/except/pass | Try/Except/Pass detected. Silently swallowing exceptions can hide security-relevant errors and make vulnerabilities harder to detect. | Warning | ||
B112
|
Try/except/continue | Try/Except/Continue detected. Silently continuing after an exception can mask security-relevant failures and leave the program in an unsafe state. | Warning | ||
B113
|
Request without timeout | HTTP request made without a timeout. Missing timeouts can lead to resource exhaustion and denial-of-service through hanging connections. | Warning | ||
B303
|
MD5/SHA1 hash function | Use of insecure MD2, MD4, MD5, or SHA1 hash function. These algorithms are cryptographically broken and must not be used for security purposes. | Warning | ||
B308
|
Mark_safe used | Use of Django's mark_safe() may expose cross-site scripting (XSS) vulnerabilities by bypassing automatic HTML escaping. | Warning | ||
B310
|
urllib urlopen | urllib.urlopen() may expose audit events and does not verify SSL certificates by default in all contexts. | Warning | ||
B311
|
Random module used | Standard pseudo-random generators (the random module) are not suitable for cryptographic or security purposes. Use the secrets module for security-sensitive random values. | Warning | ||
B313
|
XML bad cElementTree | XML parsing using cElementTree is vulnerable to XML entity expansion (XXE) and injection attacks. Use defusedxml instead. | Warning | ||
B314
|
XML bad ElementTree | XML parsing using ElementTree is vulnerable to XML entity expansion (XXE) and injection attacks. Use defusedxml instead. | Warning | ||
B315
|
XML bad expatreader | XML parsing using expatreader is vulnerable to XML entity expansion attacks. Use defusedxml instead. | Warning | ||
B316
|
XML bad expatbuilder | XML parsing using expatbuilder is vulnerable to XML entity expansion attacks. Use defusedxml instead. | Warning | ||
B317
|
XML bad sax | XML parsing using sax is vulnerable to XML entity expansion attacks. Use defusedxml instead. | Warning | ||
B318
|
XML bad minidom | XML parsing using minidom is vulnerable to XML entity expansion attacks. Use defusedxml instead. | Warning | ||
B319
|
XML bad pulldom | XML parsing using pulldom is vulnerable to XML entity expansion attacks. Use defusedxml instead. | Warning | ||
B320
|
XML bad etree | XML parsing using lxml.etree is vulnerable to XML entity expansion and injection attacks if not configured correctly. Use defusedxml instead. | Warning | ||
B324
|
Insecure hash function (hashlib) | Use of an insecure hash function via hashlib.new() or hashlib.md5/sha1 aliases. Use SHA-256 or SHA-3 for security purposes. | Warning | ||
B403
|
Import pickle | Import of the pickle module. Pickle can execute arbitrary code during deserialisation of untrusted data. Audit all usage carefully. | Warning | ||
B405
|
Import xml.etree | Import of xml.etree for XML processing. Vulnerable to XML entity expansion (XXE) attacks. Consider using defusedxml. | Warning | ||
B406
|
Import xml.sax | Import of xml.sax for XML processing. Vulnerable to XML entity expansion (XXE) attacks. Consider using defusedxml. | Warning | ||
B407
|
Import xml.dom.expatbuilder | Import of xml.dom.expatbuilder for XML processing. Vulnerable to XML entity expansion attacks. Consider using defusedxml. | Warning | ||
B408
|
Import xml.dom.minidom | Import of xml.dom.minidom for XML processing. Vulnerable to XML entity expansion attacks. Consider using defusedxml. | Warning | ||
B409
|
Import xml.dom.pulldom | Import of xml.dom.pulldom for XML processing. Vulnerable to XML entity expansion attacks. Consider using defusedxml. | Warning | ||
B504
|
SSL with no version | SSL/TLS context created without specifying a minimum protocol version. Ensure TLS 1.2+ is enforced via ssl.PROTOCOL_TLS_CLIENT. | Warning | ||
B508
|
SNMP insecure version | Use of insecure SNMP v1 or v2c. These versions transmit community strings in plaintext and have no authentication or encryption. Use SNMPv3. | Warning | ||
B509
|
SNMP weak cryptography | Use of SNMPv3 with weak or no cryptography (noAuthNoPriv or authNoPriv). Use authPriv security level with AES encryption. | Warning | ||
B603
|
subprocess without shell=True | subprocess call without shell=True. Review to confirm arguments are passed as a list and no list element is constructed from untrusted input. | Warning | ||
B606
|
Start process with no shell | Starting a process without a shell using os.execl, execle, execlp, etc. Review to ensure no argument is constructed from untrusted input. | Warning | ||
B607
|
Start process with partial path | Starting a process with a partial executable path. The executable could be replaced by a malicious one via a PATH hijacking attack. | Warning | ||
B608
|
Hardcoded SQL expression | Possible SQL injection vector through string-based query construction. Use parameterised queries or a query builder rather than string formatting. | Warning | ||
B614
|
PyTorch unsafe load | Use of torch.load() without weights_only=True can execute arbitrary code embedded in the model file when loading from an untrusted source. | Warning | ||
B702
|
Mako templates used | Use of Mako templates detected. Mako does not escape output by default, which can lead to XSS vulnerabilities if user input is rendered without explicit escaping. | Warning | ||
B703
|
Django mark_safe | Use of Django's mark_safe() or SafeData bypasses automatic HTML escaping and can introduce XSS vulnerabilities if called with untrusted content. | Warning | ||
B704
|
MarkupSafe Markup XSS | Use of markupsafe.Markup() without proper sanitisation can introduce XSS vulnerabilities by marking untrusted content as safe HTML. | Warning | ||
B109
|
Password config option not marked secret | A password-like configuration option is not marked as secret, potentially exposing it in configuration dumps, logs, or environment listings. | Info | ||
B404
|
Import subprocess | Import of the subprocess module. Review all usage to ensure commands are never constructed from untrusted user input. | Info | ||
B410
|
Import lxml | Import of lxml for XML processing. While lxml has some built-in protections, review usage for XXE vulnerabilities with untrusted XML. | Info | ||
B411
|
Import xmlrpclib | Import of xmlrpclib (xml.rpc.client in Python 3). XML-RPC can be vulnerable to XML injection if untrusted data is passed as parameters. | Info |
No rules match the current filter.
| Code | Rule Name | Description | Severity | Active | Skippable |
|---|---|---|---|---|---|
AWSKeyDetector
|
AWS access key | Detects AWS Access Key IDs (AKIA…) and AWS Secret Access Keys. Exposure can result in full AWS account compromise and significant financial damage. | Critical | ||
ArtifactoryDetector
|
Artifactory API token | Detects JFrog Artifactory API tokens and passwords. Exposure allows unauthorised access to your Artifactory artifact registry. | Critical | ||
AzureStorageKeyDetector
|
Azure Storage account key | Detects Azure Storage account keys. Exposure allows unauthorised read/write access to all data in the associated Azure Storage account. | Critical | ||
BasicAuthDetector
|
HTTP Basic Auth credentials | Detects credentials embedded in URLs using HTTP Basic Authentication syntax (e.g. https://user:password@host). Hardcoded credentials can be extracted by end users. | Critical | ||
CloudantDetector
|
IBM Cloudant credentials | Detects IBM Cloudant database credentials. Exposure allows unauthorised access to all data in the associated Cloudant database. | Critical | ||
DiscordBotTokenDetector
|
Discord bot token | Detects Discord bot tokens. Exposure allows an attacker to take full control of the Discord bot, including reading all messages it can access. | Critical | ||
GitHubTokenDetector
|
GitHub personal access token | Detects GitHub personal access tokens (ghp_, gho_, ghu_, ghs_, ghr_ prefixes). Exposure allows unauthorised access to GitHub repositories and account actions. | Critical | ||
GitLabTokenDetector
|
GitLab personal access token | Detects GitLab personal access tokens and project tokens (glpat- prefix). Exposure allows unauthorised access to GitLab repositories and CI/CD pipelines. | Critical | ||
IbmCloudIamDetector
|
IBM Cloud IAM API key | Detects IBM Cloud IAM API keys. Exposure allows unauthorised access to IBM Cloud services associated with the account. | Critical | ||
IbmCosHmacDetector
|
IBM Cloud Object Storage HMAC credentials | Detects IBM Cloud Object Storage HMAC credentials (access_key_id and secret_access_key pairs). Exposure allows unauthorised access to all data in the associated COS buckets. | Critical | ||
JwtTokenDetector
|
JWT token | Detects JSON Web Tokens (eyJ… prefix). Hardcoded JWTs embedded in source code can be used by attackers to authenticate as the token's subject. | Critical | ||
MailchimpDetector
|
Mailchimp API key | Detects Mailchimp API keys. Exposure allows unauthorised access to your Mailchimp account, including reading and modifying subscriber lists and sending campaigns. | Critical | ||
NpmDetector
|
NPM access token | Detects NPM authentication tokens (npm_… prefix). Exposure allows unauthorised publishing of packages to your npm account. | Critical | ||
OpenAIDetector
|
OpenAI API key | Detects OpenAI API keys (sk-… prefix). Exposure allows unauthorised use of your OpenAI account, leading to quota exhaustion and potential financial damage. | Critical | ||
PrivateKeyDetector
|
Private key | Detects PEM-encoded private keys (RSA, EC, DSA, OpenSSH, etc.) embedded in source code. Exposure allows an attacker to impersonate any identity associated with the key. | Critical | ||
PypiTokenDetector
|
PyPI API token | Detects PyPI upload tokens (pypi-… prefix). Exposure allows unauthorised publishing of packages to your PyPI account. | Critical | ||
SendGridDetector
|
SendGrid API key | Detects SendGrid API keys (SG.… prefix). Exposure allows unauthorised sending of emails from your SendGrid account. | Critical | ||
SlackDetector
|
Slack token | Detects Slack API tokens, webhooks, and bot tokens. Exposure allows reading Slack messages, posting as the bot, and accessing workspace data. | Critical | ||
SoftlayerDetector
|
SoftLayer (IBM Cloud) credentials | Detects SoftLayer (IBM Cloud Classic Infrastructure) API keys and usernames. Exposure allows unauthorised access to IBM Cloud Classic Infrastructure services. | Critical | ||
SquareOAuthDetector
|
Square OAuth token | Detects Square OAuth tokens and application secrets. Exposure allows unauthorised access to Square payment processing and merchant account data. | Critical | ||
StripeDetector
|
Stripe API key | Detects Stripe API keys (sk_live_, sk_test_, rk_live_ prefixes). Exposure of a live key allows reading customer data and initiating unauthorised charges. | Critical | ||
TelegramBotTokenDetector
|
Telegram bot token | Detects Telegram bot API tokens. Exposure allows an attacker to take full control of the bot, read all messages, and impersonate it to users. | Critical | ||
TwilioKeyDetector
|
Twilio API key | Detects Twilio API keys and Auth Tokens (SK… prefix). Exposure allows unauthorised sending of SMS/calls and reading of account communications. | Critical | ||
Base64HighEntropyString
|
High-entropy Base64 string | Detects high-entropy Base64-encoded strings that may be secret keys, passwords, or tokens. Review each match manually to confirm whether it is a credential. | Warning | ||
HexHighEntropyString
|
High-entropy hex string | Detects high-entropy hexadecimal strings that may be secret keys, API keys, or cryptographic material. Review each match manually to confirm whether it is a credential. | Warning | ||
KeywordDetector
|
Secret keyword | Detects assignments to variables with names suggesting secrets (password, passwd, secret, token, key, api_key, etc.). Review each match to confirm whether a real credential is hardcoded. | Warning | ||
IPPublicDetector
|
Public IP address | Detects hardcoded public IP addresses. While not a credential, hardcoded IPs can expose internal infrastructure details and prevent configuration flexibility. | Info |
No rules match the current filter.
| Code | Rule Name | Description | Severity | Active | Skippable |
|---|---|---|---|---|---|
E901
|
SyntaxError or IndentationError | Python raised a SyntaxError or IndentationError while parsing the file. The file cannot be executed in its current state. | Critical | ||
E902
|
IOError | The file could not be read (IOError). This usually indicates a file permissions issue or a missing file. | Critical | ||
E999
|
SyntaxError | A SyntaxError was raised while compiling the file. The file contains invalid Python syntax and cannot be imported or executed. | Critical | ||
F821
|
Undefined name | Undefined name used in the code. The name has not been defined in any reachable scope and will raise a NameError at runtime. | Critical | ||
F823
|
Local variable referenced before assignment | A local variable is referenced before it is assigned. This will always raise an UnboundLocalError at runtime. | Critical | ||
F831
|
Duplicate argument in function definition | Duplicate argument name in a function definition. Python raises a SyntaxError for duplicate argument names at parse time. | Critical | ||
C901
|
Function too complex | Function or method exceeds the configured McCabe complexity threshold (default 10). Highly complex functions are harder to test, review, and maintain securely. | Warning | ||
E101
|
Indentation contains mixed spaces and tabs | Indentation contains mixed spaces and tabs. Mixed indentation is parsed differently by different tools and can cause subtle logic errors. | Warning | ||
E711
|
Comparison to None using == | Comparison to None using == or !=. Use 'is None' or 'is not None' instead, as None is a singleton. | Warning | ||
E712
|
Comparison to True/False using == | Comparison to True or False using == or !=. Use 'if cond:' or 'if not cond:' instead. | Warning | ||
E713
|
Test for membership should use 'not in' | Test for membership should use 'not in x' instead of 'not x in'. The alternative form is clearer and less error-prone. | Warning | ||
E714
|
Test for identity should use 'is not' | Test for object identity should use 'is not' instead of 'not … is'. The alternative form is clearer and less error-prone. | Warning | ||
E721
|
Type comparison using == | Do not compare types using ==. Use isinstance() to support subclasses and avoid fragile type checks. | Warning | ||
E722
|
Bare except clause | Do not use a bare except clause. Catching all exceptions silently can mask unexpected errors and security-relevant failures. | Warning | ||
E731
|
Lambda assignment | Do not assign a lambda expression to a variable. Use a regular def statement instead, which is clearer and allows proper introspection. | Warning | ||
E741
|
Ambiguous variable name | Do not use single-character ambiguous variable names 'l' (lowercase L), 'O' (uppercase O), or 'I' (uppercase I) which can be visually confused with 1 and 0. | Warning | ||
E742
|
Ambiguous class name | Do not define classes named 'l', 'O', or 'I'. These single-character names are visually ambiguous with numerals. | Warning | ||
E743
|
Ambiguous function name | Do not define functions named 'l', 'O', or 'I'. These single-character names are visually ambiguous with numerals. | Warning | ||
F402
|
Import shadowed by loop variable | An import from line N was shadowed by a loop variable with the same name. This is likely a bug — the import becomes inaccessible inside the loop. | Warning | ||
F403
|
Star import used | 'from module import *' used. Star imports pollute the namespace and make it impossible to know which names are defined, potentially masking vulnerabilities. | Warning | ||
F404
|
Future import after other statements | A 'from __future__ import' statement appears after non-future imports or other code. __future__ imports must be at the top of the file to take effect. | Warning | ||
F405
|
Name may be from star import | A name may be undefined or may come from a star import. Because star imports are used, it is impossible to statically verify the name is defined. | Warning | ||
F811
|
Redefinition of unused name | Redefinition of an unused name from a previous import. The first import is overwritten before being used, likely indicating a mistake. | Warning | ||
F822
|
Undefined name in __all__ | A name listed in __all__ is not defined in the module. This will cause an AttributeError when the module is imported with 'from module import *'. | Warning | ||
F901
|
'raise NotImplemented' should be 'raise NotImplementedError' | 'raise NotImplemented' is almost certainly a bug. NotImplemented is a special singleton for use in binary special methods, not an exception. Use 'raise NotImplementedError' instead. | Warning | ||
W605
|
Invalid escape sequence | Invalid escape sequence in a string literal (e.g. '\d', '\s'). In Python 3.12+ this is a SyntaxWarning and will become an error. Use raw strings (r'...') or double the backslash. | Warning | ||
E111
|
Indentation not a multiple of four | Indentation is not a multiple of four spaces. Inconsistent indentation reduces code readability. | Info | ||
E112
|
Expected an indented block | Expected an indented block. Indicates a structural indentation error that may signal missing code. | Info | ||
E113
|
Unexpected indentation | Unexpected indentation (comment). A line is indented more than expected, indicating a possible structural error. | Info | ||
E114
|
Indentation not a multiple of four (comment) | Indentation is not a multiple of four spaces (comment). Applies to comment lines in continuation blocks. | Info | ||
E115
|
Expected an indented block (comment) | Expected an indented block (comment). A comment appears where an indented code block was expected. | Info | ||
E116
|
Unexpected indentation (comment) | Unexpected indentation (comment). A comment is more indented than the surrounding code block. | Info | ||
E117
|
Over-indented | Over-indented code. The statement is indented more than expected for the current block. | Info | ||
E121
|
Continuation line under-indented (hanging indent) | Continuation line is under-indented for a hanging indent. The closing bracket or continuation does not align with the opening delimiter. | Info | ||
E122
|
Continuation line missing indentation | Continuation line is missing indentation or is outdented relative to its opening bracket. | Info | ||
E123
|
Closing bracket does not match indentation | Closing bracket does not match the indentation of the opening bracket's line. | Info | ||
E124
|
Closing bracket does not match visual indentation | Closing bracket does not match visual indentation of the corresponding opening bracket. | Info | ||
E125
|
Continuation line with same indent as next logical line | Continuation line has the same indentation as the next logical line, making it ambiguous. | Info | ||
E126
|
Continuation line over-indented (hanging indent) | Continuation line is over-indented for a hanging indent. | Info | ||
E127
|
Continuation line over-indented (visual indent) | Continuation line is over-indented for a visual indent. | Info | ||
E128
|
Continuation line under-indented (visual indent) | Continuation line is under-indented for a visual indent. | Info | ||
E129
|
Visually indented line with same indent as next logical line | Visually indented line with same indentation as the next logical line. | Info | ||
E131
|
Continuation line unaligned (hanging indent) | Continuation line is unaligned for a block comment. | Info | ||
E133
|
Closing bracket is missing indentation | Closing bracket is missing indentation. Not all flake8 versions report this code. | Info | ||
E201
|
Whitespace after opening bracket | Whitespace immediately after an opening parenthesis, bracket, or brace. | Info | ||
E202
|
Whitespace before closing bracket | Whitespace immediately before a closing parenthesis, bracket, or brace. | Info | ||
E203
|
Whitespace before punctuation | Whitespace before a colon, semicolon, or comma. | Info | ||
E211
|
Whitespace before bracket | Whitespace before a parenthesis or bracket (e.g. in function calls or subscripts). | Info | ||
E221
|
Multiple spaces before operator | Multiple spaces before an operator, often used for alignment. Reduces readability of diffs. | Info | ||
E222
|
Multiple spaces after operator | Multiple spaces after an arithmetic or assignment operator. | Info | ||
E223
|
Whitespace (tab) before operator | A tab character appears before an operator, mixing whitespace types. | Info | ||
E224
|
Whitespace (tab) after operator | A tab character appears after an operator, mixing whitespace types. | Info | ||
E225
|
Missing whitespace around operator | Missing whitespace around an operator. Can reduce readability and occasionally cause misparse of complex expressions. | Info | ||
E226
|
Missing whitespace around arithmetic operator | Missing whitespace around an arithmetic operator (+, -, *, /). | Info | ||
E227
|
Missing whitespace around bitwise/shift operator | Missing whitespace around a bitwise or shift operator (|, &, ^, <<, >>). | Info | ||
E228
|
Missing whitespace around modulo operator | Missing whitespace around the modulo operator (%). | Info | ||
E231
|
Missing whitespace after punctuation | Missing whitespace after a comma, semicolon, or colon. | Info | ||
E241
|
Multiple spaces after comma | Multiple spaces after a comma, often used for alignment. | Info | ||
E242
|
Tab after comma | A tab character after a comma, mixing whitespace types. | Info | ||
E251
|
Unexpected spaces around keyword / parameter equals | Unexpected spaces around keyword or default parameter equals sign. | Info | ||
E261
|
At least two spaces before inline comment | At least two spaces before an inline comment are required by PEP 8. | Info | ||
E262
|
Inline comment should start with '# ' | Inline comment should start with '# ' (a hash and a single space). | Info | ||
E265
|
Block comment should start with '# ' | Block comment should start with '# ' (a hash and a single space), not '#!' or other variants. | Info | ||
E266
|
Too many leading '#' for block comment | Block comment uses too many leading '#' characters (e.g. ## comment). | Info | ||
E271
|
Multiple spaces after keyword | Multiple spaces after a keyword (if, for, while, etc.). | Info | ||
E272
|
Multiple spaces before keyword | Multiple spaces before a keyword. | Info | ||
E273
|
Whitespace (tab) after keyword | A tab character after a keyword. | Info | ||
E274
|
Whitespace (tab) before keyword | A tab character before a keyword. | Info | ||
E275
|
Missing whitespace after keyword | Missing whitespace after a keyword (e.g. if( instead of if (). | Info | ||
E301
|
Expected 1 blank line | Expected 1 blank line before a nested definition, found 0. | Info | ||
E302
|
Expected 2 blank lines | Expected 2 blank lines between top-level definitions, found fewer. | Info | ||
E303
|
Too many blank lines | Too many blank lines (3 or more). PEP 8 recommends a maximum of 2 blank lines between definitions. | Info | ||
E304
|
Blank lines found after function decorator | Blank lines found after a function decorator. There should be no blank lines between a decorator and its function. | Info | ||
E305
|
Expected 2 blank lines after end of function | Expected 2 blank lines after the end of a function or class definition, found fewer. | Info | ||
E306
|
Expected 1 blank line before nested definition | Expected 1 blank line before a nested definition (e.g. inner function or class), found 0. | Info | ||
E401
|
Multiple imports on one line | Multiple module imports on one line (e.g. import os, sys). Each import should be on its own line. | Info | ||
E402
|
Module level import not at top of file | Module level import is not at the top of the file. Imports after module-level code can cause subtle ordering issues. | Info | ||
E501
|
Line too long | Line is too long (exceeds the configured maximum line length, default 79). Long lines reduce readability. | Info | ||
E502
|
Backslash is redundant between brackets | Backslash continuation is redundant when inside brackets (parentheses, square brackets, or curly braces) which already imply line continuation. | Info | ||
E701
|
Multiple statements on one line (colon) | Multiple statements on one line separated by a colon (e.g. if cond: pass). Each statement should be on its own line. | Info | ||
E702
|
Multiple statements on one line (semicolon) | Multiple statements on one line separated by a semicolon. Each statement should be on its own line. | Info | ||
E703
|
Statement ends with a semicolon | Statement ends with an unnecessary semicolon. | Info | ||
E704
|
Statement on same line as def | Statement on the same line as def (e.g. def f(): return 1). The function body should be on the following line. | Info | ||
F401
|
Module imported but unused | Module or name imported but never used in the file. Unused imports add noise and can indicate dead code. | Info | ||
F841
|
Local variable assigned but never used | Local variable is assigned to but never used. Often indicates a bug where the result of a computation is discarded unintentionally. | Info | ||
W191
|
Indentation contains tabs | Indentation contains tab characters. PEP 8 requires spaces for indentation, and tabs can cause misalignment across editors. | Info | ||
W291
|
Trailing whitespace | Trailing whitespace at the end of a non-blank line. Trailing whitespace produces noisy diffs. | Info | ||
W292
|
No newline at end of file | No newline at the end of the file. POSIX tools and version control systems expect a trailing newline. | Info | ||
W293
|
Whitespace on blank line | Whitespace characters on a blank line. Produces noisy diffs and is invisible to most editors. | Info | ||
W391
|
Blank line at end of file | One or more blank lines at the end of the file. | Info | ||
W503
|
Line break before binary operator | Line break occurred before a binary operator. PEP 8 now recommends breaking before the operator (W504 is the conflicting rule). | Info | ||
W504
|
Line break after binary operator | Line break occurred after a binary operator. PEP 8 recommends breaking before the operator (W503 is the conflicting rule). | Info | ||
W601
|
.has_key() deprecated | dict.has_key() is deprecated in Python 3 and removed. Use 'key in dict' instead. | Info | ||
W602
|
Deprecated raise with two arguments | Deprecated form of raising an exception (raise ExcType, value). Use 'raise ExcType(value)' instead. | Info | ||
W603
|
'<>' is deprecated | Use of '<>' operator which is deprecated and removed in Python 3. Use '!=' instead. | Info | ||
W604
|
Backtick repr is deprecated | Use of backtick for repr() is deprecated and removed in Python 3. Use repr() explicitly instead. | Info |
No rules match the current filter.
| Code | Rule Name | Description | Severity | Active | Skippable |
|---|---|---|---|---|---|
FILE_SUSPICIOUS
|
Suspicious file type | A file with a suspicious extension (e.g. .exe, .dll, .so, .sh, .bat, .cmd) was found inside the plugin archive. These file types pose a significant risk and are rarely needed in a QGIS plugin. | Critical | ||
FILE_BINARY
|
Binary file | A binary file was found inside the plugin archive. Binary files cannot be reviewed for malicious code and may contain exploits or backdoors. | Warning | ||
FILE_EXECUTABLE
|
Executable file | A file inside the plugin archive has its executable bit set. Executable files increase the attack surface and may be run directly by users or scripts. | Warning | ||
FILE_HIDDEN
|
Hidden file | A hidden file (name starting with a dot) was found inside the plugin archive. Hidden files may include sensitive configuration, credentials, or development artefacts unintentionally bundled. | Info |
This table reflects the live database configuration. Administrators can change rule settings at any time via the Django admin interface.
Plugin Tags