June 22, 2026
Python SAST: Automate It in Your CI
Python Code Audit is a fast, local-first SAST tool for analysing Python code and detecting potential security weaknesses. While it is…
Maikel Mardjan
3 min read
Python Code Audit is a fast, local-first SAST tool for analysing Python code and detecting potential security weaknesses. While it is particularly useful for auditing code written by others, it can also be used to check your own Python projects to ensure no new weaknesses are introduced into your codebase.
Python Code Audit integrates easily into CI/CD pipelines and standard code quality workflows. A CI job can be configured in just a few steps, supporting our goal of simple yet effective security tooling. This allows you to focus on reviewing findings and applying fixes based on Security by Design principles.
The CI Mode Command
To test the CI mode can need to install the CLD version of Python Code Audit with:
pip install -U codeauditpip install -U codeauditThe CI mode is enabled via the following CLI command:
codeaudit cimode [file|directory] [--output text|html|json] [--nosec True|False]
By default, the cimode scanning options behave as follows:
- Output format:
text - nosec:
True(ignores lines flagged with# nosec)
Quick Local Test Run
You can test CI mode locally before integrating it into your pipeline. Simply navigate to the root of your Python project and run:
codeaudit cimode .
The dot (.) represents your current working directory.
Python Code Audit GitLab CI Integration
Enabling the default GitLab SAST security scanning is strongly discouraged. It is complex to set up and, more importantly, the default SAST tools available in your CI/CD workflow provide a false sense of security. Their validation coverage is very limited, and even basic functionality often requires an expensive paid plan.
In contrast, integrating Python Code Audit with GitLab.com is straightforward and can be completed in just a few minutes.
For GitLab CI jobs, it is recommended to always save artifacts, even when the job fails. This ensures that scan results are available for review in all cases. This is particularly useful when using the HTML report format, as it allows you to view findings directly in your browser via the CI artifacts interface.
You do not need to install Python Code Audit to integrate SAST scanning into your GitLab codebase!
To create a GitLab CI job for a robust SAST scan using Python Code Audit, simply follow the steps below:
Step 1: Create the CI Configuration File
To get started, create a file named .gitlab-ci.yml at the root of your Python project directory.
Step 2: Add the Job Configuration
Open the newly created file and paste the following configuration:
# SAST scan with Python Code Audit on GitLab.com
image: python:3.13-slim
stages:
- scan
codeaudit-scan:
stage: scan
before_script:
- python -m pip install --upgrade pip
script:
- pip install codeaudit
- codeaudit --version
- codeaudit cimode . --output html > codeaudit-output.html
allow_failure: true
artifacts:
when: always
name: "codeaudit-${CI_COMMIT_REF_NAME}"
paths:
- codeaudit-output.html
expire_in: 1 week
expose_as: "Python Code Audit Report"# SAST scan with Python Code Audit on GitLab.com
image: python:3.13-slim
stages:
- scan
codeaudit-scan:
stage: scan
before_script:
- python -m pip install --upgrade pip
script:
- pip install codeaudit
- codeaudit --version
- codeaudit cimode . --output html > codeaudit-output.html
allow_failure: true
artifacts:
when: always
name: "codeaudit-${CI_COMMIT_REF_NAME}"
paths:
- codeaudit-output.html
expire_in: 1 week
expose_as: "Python Code Audit Report"This setup ensures that an HTML report is generated and saved as a CI artifact after every commit.
Important: By default, the job will fail if any security weaknesses are found. While this is useful for enforcing strict security gates, some teams prefer to allow failures to continue — this keeps issues visible without halting ongoing development work.
After the job has finished running, you can access the results via the CI artifacts section. Click Browse artifacts and open the HTML report to view the findings directly in your browser.
So select "Jobs" in the left menu bar of GitLab:
Then select under coverage:
The option "Browse Artifacts". Now you will be redirected to a HTML report of the performed SAST scan.
For more information check the documentation.
Contributions are warmly welcomed! Whether you have suggestions, improvements, or useful CI configuration examples, please share them with us at https://github.com/nocomplexity/codeaudit.
Launch the 100% web version of Python Code Audit.
