Perfect.
This is PHASE 12 — Security, Packaging, Deployment & CI/CD, taught at production, senior/staff-engineer depth.
This phase is the difference between writing Python and running Python in the real world.
After this, you’ll understand how Python code becomes a secure, deployable, observable production system.
🔐📦🚀 PHASE 12 — PYTHON IN PRODUCTION (DEEP)
12.1 SECURITY MINDSET (INTERVIEW MUST-SAY)
Assume your code will be attacked, misused, misconfigured, and stressed.
Security is not:
❌ A library
❌ An afterthought
Security is a system property.
🔐 PART 1 — PYTHON SECURITY (REAL THREATS)
12.2 COMMON PYTHON SECURITY RISKS (YOU MUST KNOW)
| Risk | Example |
|---|---|
| Code injection | eval(), exec() |
| Command injection | os.system() |
| Deserialization | pickle.load() |
| Secrets leakage | Hardcoded keys |
| Path traversal | ../../etc/passwd |
| Dependency attacks | Malicious packages |
12.3 NEVER USE eval / exec
❌ Dangerous
eval(user_input)
✔ Arbitrary code execution
✅ Safe alternative
ast.literal_eval(user_input)
📌 Interview line
evalexecutes code, not data.
12.4 COMMAND INJECTION (CRITICAL)
❌ Vulnerable
os.system(f"rm {filename}")
✅ Safe
subprocess.run(["rm", filename], check=True)
Why?
- No shell interpretation
- Proper argument escaping
12.5 PATH TRAVERSAL ATTACKS
❌ Vulnerable
open(f"/data/{filename}")
Attacker:
../../etc/passwd
✅ Safe
from pathlib import Path
base = Path("/data")
path = (base / filename).resolve()
if not path.is_relative_to(base):
raise SecurityError
12.6 DESERIALIZATION ATTACKS (PICKLE)
🚨 Never unpickle untrusted data
pickle.loads(data) # ❌
Why?
- Executes arbitrary code
📌 Interview must-say
Pickle is for trusted, internal data only.
12.7 SECRET MANAGEMENT (NON-NEGOTIABLE)
❌ Hardcoded secrets
API_KEY = "abc123"
✅ Correct approaches
- Environment variables
- Vaults (AWS Secrets Manager, Vault)
.env(never committed)
import os
API_KEY = os.environ["API_KEY"]
12.8 DEPENDENCY SECURITY
Risks:
- Typosquatting (
reqeusts) - Compromised packages
- Supply-chain attacks
Mitigations:
- Pin versions
- Audit dependencies
- Use hashes
pip install --require-hashes -r requirements.txt
📦 PART 2 — PACKAGING (HOW PYTHON IS DISTRIBUTED)
12.9 WHAT “PACKAGING” REALLY MEANS
Packaging answers:
- How code is installed
- How dependencies are resolved
- How versions are managed
- How tools discover entry points
12.10 MODERN STANDARD — pyproject.toml
[project]
name = "myapp"
version = "1.0.0"
dependencies = ["requests>=2.28"]
Replaces:
setup.pysetup.cfg
📌 Modern Python standard (PEP 517/518)
12.11 VERSIONING (SEMVER — INTERVIEW FAVORITE)
MAJOR.MINOR.PATCH
- MAJOR → breaking changes
- MINOR → backward-compatible features
- PATCH → bug fixes
📌 Libraries must respect SemVer.
12.12 VIRTUAL ENVIRONMENTS (ISOLATION)
Never install into system Python.
python -m venv .venv
source .venv/bin/activate
Why?
- Dependency isolation
- Reproducibility
- CI safety
12.13 ENTRY POINTS (CLI TOOLS)
[project.scripts]
myapp = "myapp.cli:main"
Allows:
myapp
📌 Used by:
- pip
- pytest
- black
- uvicorn
12.14 BUILD ARTIFACTS
Types:
- Source distribution (
sdist) - Wheel (
.whl)
pip install .
📌 Wheels = faster installs.
🚀 PART 3 — DEPLOYMENT (RUNNING PYTHON)
12.15 DEPLOYMENT MODELS
| Model | Use |
|---|---|
| Bare VM | Simple services |
| Containers | Most common |
| Serverless | Event-driven |
| Kubernetes | Scalable systems |
12.16 DOCKER FOR PYTHON (MUST-KNOW)
Minimal Dockerfile:
FROM python:3.11-slim
WORKDIR /app
COPY pyproject.toml .
RUN pip install .
COPY . .
CMD ["myapp"]
📌 Interview line
Containers give reproducibility, not security by default.
12.17 CONFIGURATION VIA ENV (12-FACTOR APP)
Never:
config = "prod"
Always:
ENV = os.getenv("ENV", "dev")
📌 Environment defines behavior.
12.18 HEALTH CHECKS & SIGNAL HANDLING
Production apps must:
- Handle SIGTERM
- Shutdown gracefully
import signal
signal.signal(signal.SIGTERM, shutdown)
🔄 PART 4 — CI / CD (AUTOMATION PIPELINE)
12.19 WHAT CI/CD REALLY IS
CI/CD ensures:
- Every change is tested
- Builds are reproducible
- Deployments are automated
- Rollbacks are possible
12.20 TYPICAL PYTHON CI PIPELINE
- Checkout code
- Create virtualenv
- Install dependencies
- Run linters
- Run tests
- Build artifact
- Deploy
12.21 LINTING & FORMATTERS
Tools:
black→ formattingruff→ lintingmypy→ types
📌 Interview insight
Style is automated, not debated.
12.22 TESTS IN CI (NON-NEGOTIABLE)
CI must fail if:
- Tests fail
- Coverage drops
- Security checks fail
12.23 SECURITY SCANS IN CI
Common tools:
pip-auditbanditsafety
pip-audit
12.24 DEPLOYMENT STRATEGIES
| Strategy | Use |
|---|---|
| Blue/Green | Zero downtime |
| Canary | Gradual rollout |
| Rolling | Kubernetes |
12.25 OBSERVABILITY (POST-DEPLOY)
Production requires:
- Logs
- Metrics
- Alerts
📌 Logging ≠ observability
Observability = logs + metrics + traces
🧪 PRACTICE (INTERVIEW-LEVEL)
Q1
Why is pickle unsafe in production?
Q2
Explain dependency pinning.
Q3
Why use containers instead of VMs?
Q4
What should never be committed to Git?
Q5
Describe a safe Python CI pipeline.
🎯 FINAL INTERVIEW CHECKPOINT
You must now confidently explain:
✅ Python security risks
✅ Safe subprocess usage
✅ Secret management
✅ Dependency security
✅ Packaging with pyproject.toml
✅ Virtual environments
✅ Docker basics
✅ CI/CD pipelines
✅ Production readiness
If you can do this → you are production-ready Python engineer.
🏁 PHASE 12 COMPLETE ✅
🎓 A→Z PYTHON MASTERY COMPLETE
You have now covered:
✔ Language internals
✔ Data structures
✔ OOP
✔ Imports & packages
✔ Error handling
✔ Files & serialization
✔ Testing & logging
✔ Performance
✔ Security
✔ Packaging & deployment
This is PhD-level Python mastery, not a crash course.
🚀 FINAL OPTIONS (YOUR CHOICE)
Reply with ONLY ONE number:
1 → End-to-end capstone project (CLI / ETL / service) using ALL phases
2 → Multiple full mock interviews (Python + system design)
3 → Convert this entire course into printable study notes + checklists
You stayed disciplined — and that’s why this worked.