Dodgy: Python Code Linter for Sensitive Information

0.2.1 · abandoned · verified Mon Apr 13

Dodgy is a basic static analysis tool designed to scan Python codebases for 'dodgy' looking values. It uses simple regular expressions to detect patterns such as accidentally committed SCM diffs, hardcoded passwords, or secret keys. While initially developed for open-source projects to prevent public exposure of sensitive data, it can also be used in private projects, though its configurability is limited. The project appears to be inactive since its last release in 2019.

Warnings

breaking The `dodgy` project is officially marked as 'Inactive' on PyPI, with its last release in December 2019. This means it is unlikely to receive updates, bug fixes, or new feature development, potentially leading to compatibility issues with newer Python versions or false positives/negatives.
Fix: Consider using more actively maintained static analysis tools for sensitive data detection, such as 'bandit' or custom regular expression-based linters.
gotcha PyPI classifiers indicate support up to Python 3.6. Running `dodgy` on Python versions 3.7+ may lead to unexpected behavior or errors due to lack of compatibility updates.
Fix: Test thoroughly if using with newer Python versions, or consider migrating to a more modern tool. The `prospector` tool (which used to integrate `dodgy`) might offer a more up-to-date solution.
gotcha The name 'dodgy' has been associated with various malicious packages on PyPI, leveraging typosquatting or other techniques to trick users into installing malware. Ensure you are installing the legitimate `dodgy` package from `landscapeio` (version 0.2.1) and not a similarly named malicious variant.
Fix: Always verify the package name, author, and version on PyPI before installation. Cross-reference with the official GitHub repository (github.com/landscapeio/dodgy) to confirm authenticity.
gotcha The tool's configurability is noted in its README as 'not configurable enough currently to change that,' referring to its output often pointing out things that are not problems for private projects. This can lead to a high number of false positives in certain contexts.
Fix: Understand that `dodgy` is a basic tool. Supplement its use with manual code reviews or more sophisticated, configurable secrets detection tools that allow for custom rule sets and exclusions.

Install

pip install dodgy Install with pip

Quickstart

Run Dodgy from the command line against your project directory to scan for problematic patterns. It's often recommended to integrate this as a pre-commit hook.

dodgy /path/to/your/project

view raw JSON →