FastAPI
Best practices and security rules for FastAPI applications.
Enabled Rules
| Rule | Severity | Description |
|---|---|---|
security/secret-detection | block | Detects API keys and database URLs in source code |
security/env-exposure | block | Prevents hardcoded credentials in route handlers |
quality/naming-conventions | block | snake_case endpoints, PascalCase Pydantic models |
quality/file-structure | warn | Routers, models, and schemas in correct locations |
quality/anti-patterns | warn | Catches sync operations in async handlers |
Usage
import { defineConfig } from '@solanticai/vguard';
export default defineConfig({
presets: ['fastapi'],
});
What it enforces
- No hardcoded secrets — Blocks database URLs, API keys, and JWT secrets written directly in code. Use
pydantic-settingsor environment variables. - Naming conventions — Route functions must be snake_case (
get_users, notgetUsers). Pydantic models must be PascalCase (UserCreate, notuser_create). - File structure — Routers in
routers/orapi/, schemas inschemas/, models inmodels/. - Async best practices — Warns when blocking operations (
time.sleep, synchronous DB calls) are used insideasync defhandlers.