software

Netra-security

Published: (June 14, 2026 at 09:49 AM EDT)
4 min read
Source: Dev.to

Source: Dev.to

๐Ÿ”ฑ Building Netra Security: Creating a Python-Based Static Application Security Testing (SAST) Tool

As a cybersecurity student, Iโ€™ve always been curious about how tools like SonarQube, Semgrep, and other Static Application Security Testing (SAST) platforms identify vulnerabilities before software reaches production.

Instead of just learning how to use these tools, I wanted to understand how they work internally. That curiosity led me to build Netra Security, a lightweight SAST platform developed using Python.

In this article, Iโ€™ll share the motivation behind the project, how it works, and what I learned while building it.

What is Netra Security?

Netra Security is a Python-based static code analysis tool designed to identify common security vulnerabilities directly from source code.

The name Netra is inspired by the concept of the โ€œthird eye,โ€ representing the ability to detect hidden security issues before they become exploitable vulnerabilities.

The goal was not to create a replacement for enterprise security scanners but to learn the fundamentals of:

  • Static code analysis

  • Secure coding practices

  • Vulnerability detection

  • Abstract Syntax Tree (AST) analysis

  • Security tooling development

    The Problem

Many security vulnerabilities are introduced during development.

Common examples include:

os.system(user_input)

eval(user_input)

exec(user_input)

pickle.loads(user_data)

subprocess.run(user_input, shell=True)

Enter fullscreen mode


Exit fullscreen mode

These patterns can lead to:

  • Command Injection

  • Code Injection

  • Arbitrary Code Execution

  • Insecure Deserialization

The idea behind Netra Security is simple:

Detect insecure coding patterns before they become security incidents.

Version 1: Rule-Based Detection

The first version of Netra Security relied on string matching and regular expressions.

Example rule:

{
    "id": "NETRA-001",
    "pattern": "os.system(",
    "issue": "Command Injection",
    "severity": "CRITICAL"
}

Enter fullscreen mode


Exit fullscreen mode

The scanner reads source code line by line and checks whether dangerous patterns appear.

This approach was easy to implement and worked surprisingly well for basic detection.

However, it had a major problem.

False Positives

Consider:

message = "Never use eval() in production"

Enter fullscreen mode


Exit fullscreen mode

A simple string scanner would incorrectly flag this as a vulnerability even though it is only text.

This limitation motivated the next step.

Introducing AST Analysis

Python provides a built-in module called ast (Abstract Syntax Tree).

AST converts source code into a tree structure that represents the actual logic of the program.

For example:

os.system(user)

Enter fullscreen mode


Exit fullscreen mode

becomes a function call node.

Instead of searching for text, we can inspect the code structure itself.

Example:

for node in ast.walk(tree):

    if isinstance(node, ast.Call):

        if isinstance(node.func, ast.Attribute):

            if node.func.attr == "system":

                print("Command Injection Risk")

Enter fullscreen mode


Exit fullscreen mode

This significantly reduces false positives and provides more reliable results.

Vulnerabilities Currently Detected

Netra Security currently detects:

ID Vulnerability Severity

NETRA-001 Command Injection Critical

NETRA-002 Code Injection Critical

NETRA-003 Hardcoded Password High

NETRA-004 Hardcoded API Key High

NETRA-005 Arbitrary Code Execution Critical

NETRA-006 Insecure Deserialization High

NETRA-007 Dangerous Subprocess Usage High

Each finding includes:

  • Rule ID

  • Severity

  • Line Number

  • Vulnerable Code

  • Remediation Recommendation

    Sample Output

=== NETRA SECURITY REPORT ===

Total Findings: 5

ID       : NETRA-001
Severity : CRITICAL
Issue    : Command Injection
Line     : 13
Code     : os.system(user)

Fix      : Use subprocess.run(..., shell=False)

Enter fullscreen mode


Exit fullscreen mode

Lessons Learned

Building Netra Security taught me several important concepts:

Static Analysis Is More Complex Than It Looks

Initially, I assumed security scanning was mostly pattern matching.

In reality, reducing false positives is one of the hardest challenges.

AST Is Extremely Powerful

AST enables analysis based on code behavior rather than raw text.

This is how many professional security tools achieve better accuracy.

Security and Development Are Closely Connected

Developers who understand security can prevent many vulnerabilities before they reach production.

Future Improvements

The project is still evolving.

Planned features include:

  • Additional OWASP Top 10 checks

  • Multi-file project scanning

  • Folder-level analysis

  • Web-based dashboard using Flask

  • JSON and CSV report exports

  • Risk scoring engine

  • CI/CD integration

  • GitHub repository scanning

    Final Thoughts

Building Netra Security gave me a much deeper understanding of how static analysis tools work and how vulnerabilities can be detected before software is deployed.

The project started as a simple pattern-matching scanner and gradually evolved into an AST-powered security analysis engine.

There is still a long way to go, but thatโ€™s what makes cybersecurity and software engineering excitingโ€”there is always something new to learn and improve.

If youโ€™re learning Python, cybersecurity, or application security, I highly recommend building your own security tools. Youโ€™ll learn far more than simply using existing ones.

Thanks for reading!

GitHub Repository:

Netra-security

python #cybersecurity #appsec #security #sast #flask #beginners #opensource

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more ยป