Python · Cheat sheet
Python for DevSecOps cheat sheet
Practical Python for operators and security engineers, beginner to advanced: running scripts, virtualenvs and dependency locking, handy stdlib one-liners, dependency/SAST scanners, crypto and hashing, and lint/type/test tooling — with examples.
Run & REPLBeginner
python3 script.py
Run a script.
python3 -c "print(1+1)"
Run a one-liner inline.
2
python3 -m http.server 8080
Serve the current directory over HTTP (quick share).
Serving HTTP on 0.0.0.0 port 8080 ...
python3 -m json.tool file.json
Validate and pretty-print JSON.
python3 -i script.py
Run, then drop into the REPL with state intact.
python3 --version
Check the interpreter version.
venv & packagesBeginner
python3 -m venv .venv
Create an isolated environment.
source .venv/bin/activate
Activate it (prompt shows the venv).
(.venv) $
pip install requests
Install a package into the venv.
pip install -r requirements.txt
Install a project’s pinned deps.
pip freeze > requirements.txt
Snapshot exact installed versions.
pip list --outdated
Show packages with newer releases.
pipx install <tool>
Install a CLI tool in its own isolated env.
Dependency lockingIntermediate
pip-compile requirements.in
Resolve a fully pinned lock file (pip-tools).
pip-sync requirements.txt
Make the venv match the lock exactly.
pip install --require-hashes -r requirements.txt
Refuse deps that fail hash checks (supply-chain).
poetry add requests / poetry install
Add + install with Poetry’s lockfile.
Handy stdlibIntermediate
subprocess.run(["ls"], capture_output=True, text=True)
Shell out and capture stdout/stderr safely.
from pathlib import Path; Path("/etc").glob("*.conf")
Modern filesystem paths and globbing.
import argparse
Build a real CLI with flags and help.
logging.basicConfig(level=logging.INFO)
Structured logging instead of print.
os.environ.get("TOKEN")
Read config/secrets from the environment.
python3 -c "import secrets; print(secrets.token_hex(16))"
Generate a cryptographically strong token.
b1946ac92492d2347c6235b4d2611184
Security scannersAdvanced
bandit -r .
Find insecure code patterns (SAST for Python).
>> Issue: [B602:subprocess_popen_with_shell_equals_true] Severity: High
pip-audit
Report known CVEs in installed dependencies.
Found 2 known vulnerabilities in 1 package
safety check
Alternative dependency vulnerability scan.
detect-secrets scan > .secrets.baseline
Catch hardcoded secrets in the repo.
semgrep --config auto .
Run community SAST rules across the codebase.
Crypto & hashingAdvanced
python3 -c "import hashlib;print(hashlib.sha256(b'x').hexdigest())"
Hash bytes with SHA-256.
2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881
secrets.compare_digest(a, b)
Constant-time compare (avoid timing attacks).
import hmac; hmac.new(key, msg, "sha256").hexdigest()
Sign a message with an HMAC.
from cryptography.fernet import Fernet
Authenticated symmetric encryption made simple.
Lint, type & testAdvanced
ruff check .
Extremely fast linter (flake8/isort replacement).
black .
Opinionated auto-formatter.
mypy src/
Static type-check annotated code.
pytest -q
Run the test suite quietly.
12 passed in 0.34s
pytest --cov=src
Report test coverage.
Go deeper
Full, hands-on DevSecOps courses