Flask app run with the interactive debugger enabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
app.run(debug=True) turns on the Werkzeug interactive debugger and verbose tracebacks. Anyone who can reach the port when an unhandled exception occurs gets a Python console in the failing frame, which is arbitrary code execution.
Why it matters
The Werkzeug interactive debugger that app.run(debug=True) turns on drops a live Python console into the stack frame of any unhandled exception, and that console can run arbitrary code. Developers usually mean it only for their own machine, but the same line ships unchanged into a Dockerfile CMD or a systemd unit far more often than anyone expects. Once that happens, the very next unhandled error hands whoever can reach the port a shell.
How to fix it
Remove debug=True from the production entrypoint and read it from an environment variable that defaults to off, for example debug=os.environ.get("FLASK_DEBUG") == "1". Run the app behind a real WSGI server (gunicorn, uWSGI, waitress) in production instead of the Werkzeug dev server, and keep debug mode to a local .env file that never ships.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo