We’ve rolled out a set of new rules specifically for developers building applications with FastAPI. These rules are designed to help you catch subtle bugs, security vulnerabilities, and “gotchas” before they hit production.
Here is how these updates reduce defects & increase the security in your Python code:
Vulnerabilities:
These rules prevent sensitive data leaks by moving credentials out of URL logs and into request bodies. They also harden your infrastructure by ensuring your app isn’t accidentally exposed to the public internet during development and that CORS headers are never stripped by other middleware layers.
-
S8389: FastAPI file upload endpoints should use “Form()” with Pydantic validators instead of “Body()” or “Depends()”
-
S8392: FastAPI applications should not bind to all network interfaces
-
S8414: CORSMiddleware should be added last in the middleware chain
Bug Prevention & Reliability
This set eliminates “silent” failures, such as routes returning 404s because of registration order or worker processes failing to start in production. By catching signature mismatches and breaking changes in testing utilities early, you ensure your API remains functional and your deployment scaling works as intended.
-
S8401: Child routers should be included before parent router registration
-
S8411: FastAPI path parameters should be included in route function signatures
-
S8397: FastAPI applications should be passed as import strings when using reload, debug, or workers
-
S8405: TestClient requests should use “content” parameter for bytes or text
Code Quality & Documentation
These rules enforce idiomatic Python patterns that make your codebase easier to read and maintain. They synchronize your code with your auto-generated Swagger documentation, ensuring API consumers see all possible error responses and experience a consistent, standard-compliant interface:
-
S8396: Optional Pydantic fields should have explicit default values
-
S8400: Endpoints returning 204 status should have an empty response body
-
S8409: FastAPI routes should not specify redundant “response_model” parameters
-
S8410: FastAPI dependencies should use “Annotated” type hints
-
S8412: Generic route decorators should not be used
-
S8413: Router prefixes should be defined during “APIRouter” initialization
-
S8415: HTTPException responses should be documented in endpoint metadata
You can find them on:
SonarQube Cloud - now
SonarQube Server - from 2026.2
SonarQube Community Build - from 26.3.x
SonarQube IDE - your next plugin update
See what’s coming up for Python in SonarQube-IDE, SonarQube Server and SonarQube Cloud. We hope you enjoy these updates.
Jean