suspicious-subprocess-import (S404)

Preview (since v0.1.12) · Related issues · View source

Derived from the flake8-bandit linter.

This rule is unstable and in preview. The --preview flag is required for use.

What it does

Checks for imports of the subprocess module.

Why is this bad?

It is possible to inject malicious commands into subprocess calls. Consider possible security implications associated with this module.

Example

import subprocess