Many projects already take advantage of static analysis tools like flake8, PyLint, and MyPy. Can we do better? In this talk, I'll discuss how to take a type checker, bolt on an interprocedural static analyzer, and delight your security team with high quality results.
It is incredibly challenging to build a halfway decent static analysis tool for a dynamic language like Python. Fortunately, it gets quite a bit easier with Python type annotations. To explain why, I'll present a tool that finds security vulnerabilities by tracking dangerous flows of information interprocedurally across an entire codebase. Then, I'll demonstrate how that tool is really just a slightly slower, more sophisticated, type checker.