← all rules
code/py-weak-hash-password
Weak hashing: hashlib.md5/sha1 used in auth context
What it detects
hashlib.md5/sha1 for passwords or tokens is insecure. Use argon2-cffi/bcrypt/passlib for passwords.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.