CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/fastapi-security-basics

Security defaults that belong in every FastAPI application from day one.

93

7.00x
Quality

90%

Does it follow best practices?

Impact

98%

7.00x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-4/

{
  "context": "Tests whether the agent adds proper Pydantic Field constraints to all model fields — min/max lengths on strings, range constraints on integers, regex patterns for enum-like strings — and uses field_validator with classmethod and ValueError correctly.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Field import used",
      "description": "pydantic.Field is imported and used in model definitions (not plain type annotations without constraints)",
      "max_score": 8
    },
    {
      "name": "String min_length constraint",
      "description": "At least one string field uses Field(min_length=...) to prevent empty or too-short strings",
      "max_score": 10
    },
    {
      "name": "String max_length constraint",
      "description": "Every string field in request models has Field(max_length=...) to cap input size",
      "max_score": 10
    },
    {
      "name": "Integer range constraint",
      "description": "At least one integer field uses Field(gt=...) or Field(ge=...) with an upper bound (lt or le) to restrict its range",
      "max_score": 10
    },
    {
      "name": "Pattern for enum-like field",
      "description": "At least one string field that accepts a fixed set of values uses Field(pattern='...') with a regex anchored with ^ and $",
      "max_score": 10
    },
    {
      "name": "field_validator used",
      "description": "At least one field uses @field_validator to implement custom validation logic beyond Field() constraints",
      "max_score": 10
    },
    {
      "name": "classmethod decorator",
      "description": "@classmethod decorator is present on every @field_validator method",
      "max_score": 8
    },
    {
      "name": "ValueError raised on invalid input",
      "description": "field_validator methods raise ValueError (not Exception or other types) with a descriptive message when validation fails",
      "max_score": 10
    },
    {
      "name": "No unconstrained string fields",
      "description": "There are NO bare str fields in request models without at least min_length and max_length via Field()",
      "max_score": 12
    },
    {
      "name": "No unconstrained integer fields",
      "description": "There are NO bare int fields in request models without at least one range constraint (gt, ge, lt, or le) via Field()",
      "max_score": 12
    }
  ]
}

evals

scenario-4

criteria.json

task.md

tile.json