# Lanalyzer
[](https://www.gnu.org/licenses/agpl-3.0)
[](https://www.python.org/downloads/)
[](https://github.com/astral-sh/uv)
[](https://pypi.org/project/lanalyzer/)
[](https://github.com/bayuncao/lanalyzer/actions)
[](https://codecov.io/gh/bayuncao/lanalyzer)
[](CONTRIBUTING.md)
[](https://modelcontextprotocol.io/)
Lanalyzer is an advanced Python static taint analysis tool designed to detect potential security vulnerabilities in Python projects. It identifies data flows from untrusted sources (Sources) to sensitive operations (Sinks) and provides detailed insights into potential risks.
<p align="center">
<a href="./README.md"><img alt="README in English" src="https://img.shields.io/badge/English-d9d9d9"></a>
<a href="./README.zh.md"><img alt="简体中文版自述文件" src="https://img.shields.io/badge/简体中文-d9d9d9"></a>
</p>
## 📖 Table of Contents
- [Lanalyzer](#lanalyzer)
- [📖 Table of Contents](#-table-of-contents)
- [✨ Features](#-features)
- [🚀 Getting Started](#-getting-started)
- [Prerequisites](#prerequisites)
- [Installation](#installation)
- [Option 1: Install from PyPI (Recommended)](#option-1-install-from-pypi-recommended)
- [Option 2: Install from Source](#option-2-install-from-source)
- [💻 Usage](#-usage)
- [Basic Analysis](#basic-analysis)
- [Command-Line Options](#command-line-options)
- [Example](#example)
- [🤝 Contributing](#-contributing)
- [📄 License](#-license)
- [📞 Contact](#-contact)
- [Contact](#contact)
- [🧩 Model Context Protocol (MCP) Support](#-model-context-protocol-mcp-support)
- [Installing MCP Dependencies](#installing-mcp-dependencies)
- [Starting the MCP Server](#starting-the-mcp-server)
- [MCP Server Features](#mcp-server-features)
- [Integration with AI Tools](#integration-with-ai-tools)
- [Using in Cursor](#using-in-cursor)
- [MCP Command-Line Options](#mcp-command-line-options)
- [Advanced MCP Usage](#advanced-mcp-usage)
- [Custom Configurations](#custom-configurations)
- [Batch File Analysis](#batch-file-analysis)
- [📊 Analysis Results Format](#-analysis-results-format)
## ✨ Features
- **Taint Analysis**: Tracks data flows from sources to sinks.
- **Customizable Rules**: Define your own sources, sinks, sanitizers, and taint propagation paths.
- **Static Analysis**: No need to execute the code.
- **Extensibility**: Easily add new rules for detecting vulnerabilities like SQL Injection, XSS, and more.
- **Detailed Reports**: Generate comprehensive analysis reports with vulnerability details and mitigation suggestions.
- **Command-Line Interface**: Run analyses directly from the terminal.
## 🚀 Getting Started
### Prerequisites
- Python 3.10 or higher
- [uv](https://github.com/astral-sh/uv) (recommended for dependency management)
### Installation
#### Option 1: Install from PyPI (Recommended)
```bash
# Using pip
pip install lanalyzer
# Install as a tool (recommended)
uv tool install lanalyzer
# Using uv
uv add lanalyzer
# With MCP support
uv add lanalyzer[mcp]
```
#### Option 2: Install from Source
1. Clone the repository:
```bash
git clone https://github.com/bayuncao/lanalyzer.git
cd lanalyzer
```
2. Install dependencies:
```bash
# Install basic dependencies
make install
# Install with development dependencies
make install-dev
# Install with MCP support
make install-mcp
# Install everything (dev + MCP)
make install-all
```
## 💻 Usage
### Basic Analysis
Run a taint analysis on a Python file:
```bash
lanalyzer --target <target_file> --config <config_file> --pretty --output <output_file> --log-file <log_file> --debug
```
### Command-Line Options
- `--target`: Path to the Python file or directory to analyze.
- `--config`: Path to the configuration file.
- `--output`: Path to save the analysis report.
- `--log-file`: Path to save the log file.
- `--pretty`: Pretty-print the output.
- `--detailed`: Show detailed analysis statistics.
- `--debug`: Enable debug mode with detailed logging.
### Example
```bash
lanalyzer --target example.py --config rules/sql_injection.json --pretty --output example_analysis.json --log-file example_analysis.log --debug
```
## 🤝 Contributing
We welcome contributions! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) file for guidelines on how to contribute to Lanalyzer.
For development setup, building, and publishing instructions, see [DEVELOPMENT.md](docs/DEVELOPMENT.md).
## 📄 License
This project is licensed under the GNU Affero General Public License v3.0. See the [LICENSE](LICENSE) file for details.
## 📞 Contact
### Contact
- Issues: [GitHub Issues](https://github.com/bayuncao/ltrack/issues)
- Email: support@mx-crafts.com
## 🧩 Model Context Protocol (MCP) Support
Lanalyzer now supports the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/), allowing it to run as an MCP server that AI models and tools can use to access taint analysis functionality through a standard interface.
### Installing MCP Dependencies
If you're using pip:
```bash
pip install "lanalyzer[mcp]"
```
If you're using uv:
```bash
uv add lanalyzer[mcp]
```
### Starting the MCP Server
There are multiple ways to start the MCP server:
1. **Using Python Module**:
```bash
# View help information
python -m lanalyzer.mcp --help
# Start the server (default port 8001)
python -m lanalyzer.mcp run --port 8001 --debug
```
2. **Using the lanalyzer Command-Line Tool**:
```bash
# View help information
lanalyzer mcp --help
# Start the server (default port 8000)
lanalyzer mcp run --port 8000 --debug
# Use development mode
lanalyzer mcp dev
```
3. **Using Makefile (Recommended for Development)**:
```bash
# Start MCP server
make mcp-server
# Start MCP server with debug mode
make mcp-server-debug
# Test MCP CLI
make mcp-test
```
### MCP Server Features
The MCP server provides the following core functionalities:
1. **Code Analysis**: Analyze Python code strings for security vulnerabilities
2. **File Analysis**: Analyze specific files for security vulnerabilities
3. **Path Analysis**: Analyze entire directories or projects for security vulnerabilities
4. **Vulnerability Explanation**: Provide detailed explanations of discovered vulnerabilities
5. **Configuration Management**: Get, validate, and create analysis configurations
For detailed MCP API documentation, see [MCP Tools Reference](docs/MCP_TOOLS.md).
### Integration with AI Tools
The MCP server can be integrated with AI tools that support the MCP protocol:
```python
# Using the FastMCP client
from fastmcp import FastMCPClient
# Create a client connected to the server
client = FastMCPClient("http://127.0.0.1:8000")
# Analyze code
result = client.call({
"type": "analyze_code",
"code": "user_input = input()\nquery = f\"SELECT * FROM users WHERE name = '{user_input}'\"",
"file_path": "example.py",
"config_path": "/path/to/config.json"
})
# Print analysis results
print(result)
```
### Using in Cursor
If you're working in the Cursor editor, you can directly ask the AI to use Lanalyzer to analyze your code:
```
Please use lanalyzer to analyze the current file for security vulnerabilities and explain the potential risks.
```
### MCP Command-Line Options
The MCP server supports the following command-line options:
**For `python -m lanalyzer.mcp run`**:
- `--debug`: Enable debug mode with detailed logging
- `--host`: Set the server listening address (default: 127.0.0.1)
- `--port`: Set the server listening port (default: 8001)
- `--transport`: Transport protocol (sse or streamable-http)
**For `lanalyzer mcp run`**:
- `--debug`: Enable debug mode
- `--port`: Set the server listening port (default: 8000)
### Advanced MCP Usage
#### Custom Configurations
You can use the get_config, validate_config, and create_config tools to manage vulnerability detection configurations:
```python
# Get the default configuration
config = client.call({
"type": "get_config"
})
# Create a new configuration
result = client.call({
"type": "create_config",
"config_data": {...}, # Configuration data
"config_path": "/path/to/save/config.json" # Optional
})
```
#### Batch File Analysis
Analyze an entire project or directory:
```python
result = client.call({
"type": "analyze_path",
"target_path": "/path/to/project",
"config_path": "/path/to/config.json",
"output_path": "/path/to/output.json" # Optional
})
```
## 📊 Analysis Results Format
The analysis results are returned in JSON format with the following main sections:
- **`vulnerabilities`**: List of detected security vulnerabilities
- **`call_chains`**: Data flow paths from sources to sinks
- **`summary`**: Analysis statistics and overview
- **`imports`**: Import information for analyzed files
For detailed format specification, see [Output Format Documentation](docs/OUTPUT_FORMAT.md).
Raw data
{
"_id": null,
"home_page": null,
"name": "lanalyzer",
"maintainer": null,
"docs_url": null,
"requires_python": "~=3.10",
"maintainer_email": null,
"keywords": "mcp, model-context-protocol, security, static-analysis, taint-analysis, vulnerability-detection",
"author": null,
"author_email": "Lanalyzer Author <8533596@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/bf/a3/f38132b52385c409356e637313f13cf3d750ed99377380eb5e0507611bef/lanalyzer-0.1.9.tar.gz",
"platform": null,
"description": "\n\n# Lanalyzer\n\n[](https://www.gnu.org/licenses/agpl-3.0)\n[](https://www.python.org/downloads/)\n[](https://github.com/astral-sh/uv)\n[](https://pypi.org/project/lanalyzer/)\n[](https://github.com/bayuncao/lanalyzer/actions)\n[](https://codecov.io/gh/bayuncao/lanalyzer)\n[](CONTRIBUTING.md)\n[](https://modelcontextprotocol.io/)\n\nLanalyzer is an advanced Python static taint analysis tool designed to detect potential security vulnerabilities in Python projects. It identifies data flows from untrusted sources (Sources) to sensitive operations (Sinks) and provides detailed insights into potential risks.\n\n<p align=\"center\">\n <a href=\"./README.md\"><img alt=\"README in English\" src=\"https://img.shields.io/badge/English-d9d9d9\"></a>\n <a href=\"./README.zh.md\"><img alt=\"\u7b80\u4f53\u4e2d\u6587\u7248\u81ea\u8ff0\u6587\u4ef6\" src=\"https://img.shields.io/badge/\u7b80\u4f53\u4e2d\u6587-d9d9d9\"></a>\n</p>\n\n## \ud83d\udcd6 Table of Contents\n\n- [Lanalyzer](#lanalyzer)\n - [\ud83d\udcd6 Table of Contents](#-table-of-contents)\n - [\u2728 Features](#-features)\n - [\ud83d\ude80 Getting Started](#-getting-started)\n - [Prerequisites](#prerequisites)\n - [Installation](#installation)\n - [Option 1: Install from PyPI (Recommended)](#option-1-install-from-pypi-recommended)\n - [Option 2: Install from Source](#option-2-install-from-source)\n - [\ud83d\udcbb Usage](#-usage)\n - [Basic Analysis](#basic-analysis)\n - [Command-Line Options](#command-line-options)\n - [Example](#example)\n - [\ud83e\udd1d Contributing](#-contributing)\n - [\ud83d\udcc4 License](#-license)\n - [\ud83d\udcde Contact](#-contact)\n - [Contact](#contact)\n - [\ud83e\udde9 Model Context Protocol (MCP) Support](#-model-context-protocol-mcp-support)\n - [Installing MCP Dependencies](#installing-mcp-dependencies)\n - [Starting the MCP Server](#starting-the-mcp-server)\n - [MCP Server Features](#mcp-server-features)\n - [Integration with AI Tools](#integration-with-ai-tools)\n - [Using in Cursor](#using-in-cursor)\n - [MCP Command-Line Options](#mcp-command-line-options)\n - [Advanced MCP Usage](#advanced-mcp-usage)\n - [Custom Configurations](#custom-configurations)\n - [Batch File Analysis](#batch-file-analysis)\n - [\ud83d\udcca Analysis Results Format](#-analysis-results-format)\n\n\n## \u2728 Features\n\n- **Taint Analysis**: Tracks data flows from sources to sinks.\n- **Customizable Rules**: Define your own sources, sinks, sanitizers, and taint propagation paths.\n- **Static Analysis**: No need to execute the code.\n- **Extensibility**: Easily add new rules for detecting vulnerabilities like SQL Injection, XSS, and more.\n- **Detailed Reports**: Generate comprehensive analysis reports with vulnerability details and mitigation suggestions.\n- **Command-Line Interface**: Run analyses directly from the terminal.\n\n## \ud83d\ude80 Getting Started\n\n### Prerequisites\n- Python 3.10 or higher\n- [uv](https://github.com/astral-sh/uv) (recommended for dependency management)\n\n### Installation\n\n#### Option 1: Install from PyPI (Recommended)\n```bash\n# Using pip\npip install lanalyzer\n\n# Install as a tool (recommended)\nuv tool install lanalyzer\n\n# Using uv\nuv add lanalyzer\n\n# With MCP support\nuv add lanalyzer[mcp]\n```\n\n#### Option 2: Install from Source\n1. Clone the repository:\n ```bash\n git clone https://github.com/bayuncao/lanalyzer.git\n cd lanalyzer\n ```\n\n2. Install dependencies:\n ```bash\n # Install basic dependencies\n make install\n\n # Install with development dependencies\n make install-dev\n\n # Install with MCP support\n make install-mcp\n\n # Install everything (dev + MCP)\n make install-all\n ```\n\n## \ud83d\udcbb Usage\n\n### Basic Analysis\nRun a taint analysis on a Python file:\n```bash\nlanalyzer --target <target_file> --config <config_file> --pretty --output <output_file> --log-file <log_file> --debug\n```\n\n### Command-Line Options\n- `--target`: Path to the Python file or directory to analyze.\n- `--config`: Path to the configuration file.\n- `--output`: Path to save the analysis report.\n- `--log-file`: Path to save the log file.\n- `--pretty`: Pretty-print the output.\n- `--detailed`: Show detailed analysis statistics.\n- `--debug`: Enable debug mode with detailed logging.\n\n### Example\n```bash\nlanalyzer --target example.py --config rules/sql_injection.json --pretty --output example_analysis.json --log-file example_analysis.log --debug\n```\n\n## \ud83e\udd1d Contributing\n\nWe welcome contributions! Please see the [CONTRIBUTING.md](CONTRIBUTING.md) file for guidelines on how to contribute to Lanalyzer.\n\nFor development setup, building, and publishing instructions, see [DEVELOPMENT.md](docs/DEVELOPMENT.md).\n\n## \ud83d\udcc4 License\n\nThis project is licensed under the GNU Affero General Public License v3.0. See the [LICENSE](LICENSE) file for details.\n\n## \ud83d\udcde Contact\n\n### Contact\n\n- Issues: [GitHub Issues](https://github.com/bayuncao/ltrack/issues)\n- Email: support@mx-crafts.com\n\n## \ud83e\udde9 Model Context Protocol (MCP) Support\n\nLanalyzer now supports the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/), allowing it to run as an MCP server that AI models and tools can use to access taint analysis functionality through a standard interface.\n\n### Installing MCP Dependencies\n\nIf you're using pip:\n\n```bash\npip install \"lanalyzer[mcp]\"\n```\n\nIf you're using uv:\n\n```bash\nuv add lanalyzer[mcp]\n```\n\n### Starting the MCP Server\n\nThere are multiple ways to start the MCP server:\n\n1. **Using Python Module**:\n\n```bash\n# View help information\npython -m lanalyzer.mcp --help\n\n# Start the server (default port 8001)\npython -m lanalyzer.mcp run --port 8001 --debug\n```\n\n2. **Using the lanalyzer Command-Line Tool**:\n\n```bash\n# View help information\nlanalyzer mcp --help\n\n# Start the server (default port 8000)\nlanalyzer mcp run --port 8000 --debug\n\n# Use development mode\nlanalyzer mcp dev\n```\n\n3. **Using Makefile (Recommended for Development)**:\n\n```bash\n# Start MCP server\nmake mcp-server\n\n# Start MCP server with debug mode\nmake mcp-server-debug\n\n# Test MCP CLI\nmake mcp-test\n```\n\n### MCP Server Features\n\nThe MCP server provides the following core functionalities:\n\n1. **Code Analysis**: Analyze Python code strings for security vulnerabilities\n2. **File Analysis**: Analyze specific files for security vulnerabilities\n3. **Path Analysis**: Analyze entire directories or projects for security vulnerabilities\n4. **Vulnerability Explanation**: Provide detailed explanations of discovered vulnerabilities\n5. **Configuration Management**: Get, validate, and create analysis configurations\n\nFor detailed MCP API documentation, see [MCP Tools Reference](docs/MCP_TOOLS.md).\n\n### Integration with AI Tools\n\nThe MCP server can be integrated with AI tools that support the MCP protocol:\n\n```python\n# Using the FastMCP client\nfrom fastmcp import FastMCPClient\n\n# Create a client connected to the server\nclient = FastMCPClient(\"http://127.0.0.1:8000\")\n\n# Analyze code\nresult = client.call({\n \"type\": \"analyze_code\",\n \"code\": \"user_input = input()\\nquery = f\\\"SELECT * FROM users WHERE name = '{user_input}'\\\"\",\n \"file_path\": \"example.py\",\n \"config_path\": \"/path/to/config.json\"\n})\n\n# Print analysis results\nprint(result)\n```\n\n### Using in Cursor\n\nIf you're working in the Cursor editor, you can directly ask the AI to use Lanalyzer to analyze your code:\n\n```\nPlease use lanalyzer to analyze the current file for security vulnerabilities and explain the potential risks.\n```\n\n### MCP Command-Line Options\n\nThe MCP server supports the following command-line options:\n\n**For `python -m lanalyzer.mcp run`**:\n- `--debug`: Enable debug mode with detailed logging\n- `--host`: Set the server listening address (default: 127.0.0.1)\n- `--port`: Set the server listening port (default: 8001)\n- `--transport`: Transport protocol (sse or streamable-http)\n\n**For `lanalyzer mcp run`**:\n- `--debug`: Enable debug mode\n- `--port`: Set the server listening port (default: 8000)\n\n### Advanced MCP Usage\n\n#### Custom Configurations\n\nYou can use the get_config, validate_config, and create_config tools to manage vulnerability detection configurations:\n\n```python\n# Get the default configuration\nconfig = client.call({\n \"type\": \"get_config\"\n})\n\n# Create a new configuration\nresult = client.call({\n \"type\": \"create_config\",\n \"config_data\": {...}, # Configuration data\n \"config_path\": \"/path/to/save/config.json\" # Optional\n})\n```\n\n#### Batch File Analysis\n\nAnalyze an entire project or directory:\n\n```python\nresult = client.call({\n \"type\": \"analyze_path\",\n \"target_path\": \"/path/to/project\",\n \"config_path\": \"/path/to/config.json\",\n \"output_path\": \"/path/to/output.json\" # Optional\n})\n```\n\n## \ud83d\udcca Analysis Results Format\n\nThe analysis results are returned in JSON format with the following main sections:\n\n- **`vulnerabilities`**: List of detected security vulnerabilities\n- **`call_chains`**: Data flow paths from sources to sinks\n- **`summary`**: Analysis statistics and overview\n- **`imports`**: Import information for analyzed files\n\nFor detailed format specification, see [Output Format Documentation](docs/OUTPUT_FORMAT.md).",
"bugtrack_url": null,
"license": null,
"summary": "Python Taint Analysis Tool for finding security vulnerabilities",
"version": "0.1.9",
"project_urls": {
"Repository": "https://github.com/bayuncao/lanalyzer"
},
"split_keywords": [
"mcp",
" model-context-protocol",
" security",
" static-analysis",
" taint-analysis",
" vulnerability-detection"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "2924606ee00d16767551b88d26c33cd6aabff1fec3464925aab438f72ab3afd1",
"md5": "66d589e8d4605f2af0456311a27ec567",
"sha256": "96bbd3f9fa79b7ec3cf27e5834af12e1cd26a1d54e1d50991cf405efa7b7c402"
},
"downloads": -1,
"filename": "lanalyzer-0.1.9-py3-none-any.whl",
"has_sig": false,
"md5_digest": "66d589e8d4605f2af0456311a27ec567",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.10",
"size": 140888,
"upload_time": "2025-07-09T11:24:16",
"upload_time_iso_8601": "2025-07-09T11:24:16.229584Z",
"url": "https://files.pythonhosted.org/packages/29/24/606ee00d16767551b88d26c33cd6aabff1fec3464925aab438f72ab3afd1/lanalyzer-0.1.9-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "bfa3f38132b52385c409356e637313f13cf3d750ed99377380eb5e0507611bef",
"md5": "f202b253444d70b78c1bcbb25fb97816",
"sha256": "45df16eaa572a3053f89322ab95b951c1a526523a490b8fb6c1c5cc6988f7b68"
},
"downloads": -1,
"filename": "lanalyzer-0.1.9.tar.gz",
"has_sig": false,
"md5_digest": "f202b253444d70b78c1bcbb25fb97816",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.10",
"size": 111307,
"upload_time": "2025-07-09T11:24:17",
"upload_time_iso_8601": "2025-07-09T11:24:17.639207Z",
"url": "https://files.pythonhosted.org/packages/bf/a3/f38132b52385c409356e637313f13cf3d750ed99377380eb5e0507611bef/lanalyzer-0.1.9.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-09 11:24:17",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "bayuncao",
"github_project": "lanalyzer",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "lanalyzer"
}
JSON
