Flask scanner
shadowaudit's Flask scanner uses regex-based decorator pattern matching to extract route definitions from .py files.
How it works
The scanner reads each .py file line-by-line and matches decorator patterns like @app.route('/path') and @bp.route('/path'). No Python runtime is required.
Detected patterns
Pattern 1 — @app.route() decorator
from flask import Flask
app = Flask(__name__)
@app.route('/users')
def get_users():
return []
@app.route('/products')
def get_products():
return []
Pattern 2 — Blueprint routes
from flask import Blueprint
bp = Blueprint('api', __name__)
@bp.route('/orders')
def get_orders():
pass
Pattern 3 — Path parameters
Flask uses <param> syntax — converted to OpenAPI {param}:
@app.route('/users/<id>')
def get_user(id):
pass
# → GET /users/{id}
@app.route('/users/<int:user_id>/posts/<post_id>')
def get_post(user_id, post_id):
pass
# → GET /users/{user_id}/posts/{post_id}
Pattern 4 — Multi-method routes
@app.route('/items', methods=['GET', 'POST'])
def items():
pass
# → GET /items + POST /items (two routes generated)
Example scan output
shadowaudit --dir ./src --spec openapi.json --framework flask
[INFO] Running Flask route scanner...
[✓] Found 12 Flask routes in ./src
[INFO] GET /users → app.py:8 [no auth]
[INFO] POST /users → app.py:11 [no auth]
[INFO] GET /admin → app.py:15 [auth]
[INFO] GET /health → app.py:20 [no auth]
Auth detection
shadowaudit detects Flask auth by scanning the decorator line and up to 10 lines below for auth patterns:
from flask_login import login_required
@app.route('/admin')
@login_required
def admin():
pass
Hardcoded Flask auth patterns
@login_required @permission_required login_required
permission_required current_user g.user
session.get jwt_required token_required
requires_auth is_authenticated check_auth
authenticate authorize
Auto-detection
Flask projects are auto-detected when requirements.txt or pyproject.toml contains flask.
Tested on
Scanned pallets/flask (the Flask framework itself) — 3 internal routes detected correctly.