{"id":5198,"library":"dodgy","title":"Dodgy: Python Code Linter for Sensitive Information","description":"Dodgy is a basic static analysis tool designed to scan Python codebases for 'dodgy' looking values. It uses simple regular expressions to detect patterns such as accidentally committed SCM diffs, hardcoded passwords, or secret keys. While initially developed for open-source projects to prevent public exposure of sensitive data, it can also be used in private projects, though its configurability is limited. The project appears to be inactive since its last release in 2019.","status":"abandoned","version":"0.2.1","language":"en","source_language":"en","source_url":"https://github.com/landscapeio/dodgy","tags":["linter","static analysis","code quality","security","secrets detection"],"install":[{"cmd":"pip install dodgy","lang":"bash","label":"Install with pip"}],"dependencies":[],"imports":[],"quickstart":{"code":"dodgy /path/to/your/project","lang":"bash","description":"Run Dodgy from the command line against your project directory to scan for problematic patterns. It's often recommended to integrate this as a pre-commit hook."},"warnings":[{"fix":"Consider using more actively maintained static analysis tools for sensitive data detection, such as 'bandit' or custom regular expression-based linters.","message":"The `dodgy` project is officially marked as 'Inactive' on PyPI, with its last release in December 2019. This means it is unlikely to receive updates, bug fixes, or new feature development, potentially leading to compatibility issues with newer Python versions or false positives/negatives.","severity":"breaking","affected_versions":"<=0.2.1"},{"fix":"Test thoroughly if using with newer Python versions, or consider migrating to a more modern tool. The `prospector` tool (which used to integrate `dodgy`) might offer a more up-to-date solution.","message":"PyPI classifiers indicate support up to Python 3.6. Running `dodgy` on Python versions 3.7+ may lead to unexpected behavior or errors due to lack of compatibility updates.","severity":"gotcha","affected_versions":">=0.2.1 (Python 3.7+)"},{"fix":"Always verify the package name, author, and version on PyPI before installation. Cross-reference with the official GitHub repository (github.com/landscapeio/dodgy) to confirm authenticity.","message":"The name 'dodgy' has been associated with various malicious packages on PyPI, leveraging typosquatting or other techniques to trick users into installing malware. Ensure you are installing the legitimate `dodgy` package from `landscapeio` (version 0.2.1) and not a similarly named malicious variant.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Understand that `dodgy` is a basic tool. Supplement its use with manual code reviews or more sophisticated, configurable secrets detection tools that allow for custom rule sets and exclusions.","message":"The tool's configurability is noted in its README as 'not configurable enough currently to change that,' referring to its output often pointing out things that are not problems for private projects. This can lead to a high number of false positives in certain contexts.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-13T00:00:00.000Z","next_check":"2026-07-12T00:00:00.000Z"}