← all rules
code/py-command-injection
Command Injection: subprocess/os.system with shell=True
What it detects
subprocess called with shell=True on a string that includes user input allows arbitrary command execution. Pass argv as a list and leave shell=False (default).
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.