Skip to main content

Flask scanner

shadowaudit's Flask scanner uses regex-based decorator pattern matching to extract route definitions from .py files.

How it works

The scanner reads each .py file line-by-line and matches decorator patterns like @app.route('/path') and @bp.route('/path'). No Python runtime is required.

Detected patterns

Pattern 1 — @app.route() decorator

from flask import Flask

app = Flask(__name__)

@app.route('/users')
def get_users():
return []

@app.route('/products')
def get_products():
return []

Pattern 2 — Blueprint routes

from flask import Blueprint

bp = Blueprint('api', __name__)

@bp.route('/orders')
def get_orders():
pass

Pattern 3 — Path parameters

Flask uses <param> syntax — converted to OpenAPI {param}:

@app.route('/users/<id>')
def get_user(id):
pass
# → GET /users/{id}

@app.route('/users/<int:user_id>/posts/<post_id>')
def get_post(user_id, post_id):
pass
# → GET /users/{user_id}/posts/{post_id}

Pattern 4 — Multi-method routes

@app.route('/items', methods=['GET', 'POST'])
def items():
pass
# → GET /items + POST /items (two routes generated)

Example scan output

shadowaudit --dir ./src --spec openapi.json --framework flask
[INFO] Running Flask route scanner...
[✓] Found 12 Flask routes in ./src
[INFO] GET /users → app.py:8 [no auth]
[INFO] POST /users → app.py:11 [no auth]
[INFO] GET /admin → app.py:15 [auth]
[INFO] GET /health → app.py:20 [no auth]

Auth detection

shadowaudit detects Flask auth by scanning the decorator line and up to 10 lines below for auth patterns:

from flask_login import login_required

@app.route('/admin')
@login_required
def admin():
pass

Hardcoded Flask auth patterns

@login_required @permission_required login_required
permission_required current_user g.user
session.get jwt_required token_required
requires_auth is_authenticated check_auth
authenticate authorize

Auto-detection

Flask projects are auto-detected when requirements.txt or pyproject.toml contains flask.

Tested on

Scanned pallets/flask (the Flask framework itself) — 3 internal routes detected correctly.