← all rules
code/py-sqli-f-string
SQL Injection: Python f-string/format interpolation in query
What it detects
SQL query is built via f-string/format/% — both equivalent to string concatenation. Use parameterized queries (cursor.execute(sql, (x,))).
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.