Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.execution

Avoid enabling shell mode in subprocess calls

Python process execution should avoid `shell=True` unless shell interpretation is explicitly required and tightly controlled.

#Metadata

Rule ID
py.security.subprocess-shell-enabled
Severity
high
Confidence
0.93
Languages
python
Presets
security, strict
Stability
stable
Applies to
block
Tags
execution, python, rules-catalog, security, subprocess

#Why it matters

Shell-enabled process execution introduces command parsing behavior that increases injection and execution risk.

#Remediation

Use argument-list execution with `shell=False` by default, and only allow fixed commands when shell mode is unavoidable.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/python/py.security.subprocess-shell-enabled.rule.yaml.

Back to directoryOpen rule in repository