QP20 Python Project Config Presence

What this means

SiteShadow flagged missing Python project configuration (packaging/tooling config like pyproject.toml, dependency pinning, lint/test tooling setup).

Why it matters

Project configuration standardizes tooling and dependency management.

• Dependency drift increases supply-chain and reproducibility risk.
• Inconsistent tooling makes tests/linters optional and easier to bypass.
• Harder secure defaults without centralized configuration.

Safer examples

1) Use pyproject.toml (recommended)

Centralize project metadata and tooling config (formatters, linters, build system).

2) Pin dependencies

Use lockfiles or pinned requirements where appropriate (see DEP01 / A08).

3) Standardize test/lint commands

Make pytest and linting easy to run locally and in CI (see QP02 / QP16).

How SiteShadow detects it (high level)

• Detects missing Python project config files and dependency pinning signals.
• Flags Python repos where tooling and dependency management appear unmanaged.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library