code/py-pickle-loads

Insecure deserialization: pickle.loads on untrusted data

criticalCode regexdeserializationCWE-502 ↗python

What it detects

pickle.loads executes arbitrary code during deserialization. Never use it on data that could be user-controlled.

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.