diff --git a/rules/python/security/python-pymongo-empty-password-python.yml b/rules/python/security/python-pymongo-empty-password-python.yml
new file mode 100644
index 00000000..db0fd45c
--- /dev/null
+++ b/rules/python/security/python-pymongo-empty-password-python.yml
@@ -0,0 +1,88 @@
+id: python-pymongo-empty-password-python
+language: python
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [CWE-287]: Improper Authentication
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  pymongo.MongoClient(..., password="",...):
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^pymongo.MongoClient$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: keyword_argument
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^password$
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  not:
+                    has:
+                      stopBy: end
+                      kind: string_content
+  # $pymongo.MongoClient(..., password="",...):
+  #  kind: call
+  #  all:
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: identifier
+  #        regex: ^MongoClient$
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: argument_list
+  #        has:
+  #          stopBy: neighbor
+  #          kind: keyword_argument
+  #          all:
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: identifier
+  #               regex: ^password$
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: string
+  #               not:
+  #                 has:
+  #                  stopBy: end
+  #                  kind: string_content
+  #    - inside:
+  #        stopBy: end
+  #        follows:
+  #          stopBy: end
+  #          kind: import_from_statement
+  #          pattern: from pymongo import MongoClient
+rule:
+  kind: call
+  any:
+    - matches: pymongo.MongoClient(..., password="",...)
+  # - matches: $pymongo.MongoClient(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
diff --git a/rules/python/security/python-pymongo-hardcoded-secret-python.yml b/rules/python/security/python-pymongo-hardcoded-secret-python.yml
new file mode 100644
index 00000000..4690aa06
--- /dev/null
+++ b/rules/python/security/python-pymongo-hardcoded-secret-python.yml
@@ -0,0 +1,85 @@
+id: python-pymongo-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  pymongo.MongoClient(..., password="",...):
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^pymongo.MongoClient$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: keyword_argument
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^password$
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  has:
+                    stopBy: end
+                    kind: string_content
+  # $pymongo.MongoClient(..., password="",...):
+  #  kind: call
+  #  all:
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: identifier
+  #        regex: ^MongoClient$
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: argument_list
+  #        has:
+  #          stopBy: neighbor
+  #          kind: keyword_argument
+  #          all:
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: identifier
+  #               regex: ^password$
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: string
+  #               has:
+  #                  stopBy: end
+  #                  kind: string_content
+  #    - inside:
+  #        stopBy: end
+  #        follows:
+  #          stopBy: end
+  #          kind: import_from_statement
+  #          pattern: from pymongo import MongoClient
+rule:
+  kind: call
+  any:
+    - matches: pymongo.MongoClient(..., password="",...)
+  # - matches: $pymongo.MongoClient(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
diff --git a/rules/python/security/python-webrepl-empty-password-python.yml b/rules/python/security/python-webrepl-empty-password-python.yml
new file mode 100644
index 00000000..1869d3ee
--- /dev/null
+++ b/rules/python/security/python-webrepl-empty-password-python.yml
@@ -0,0 +1,56 @@
+id: python-webrepl-empty-password-python
+language: python
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [CWE-287]: Improper Authentication
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  webrepl.start(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^webrepl.start$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                 has:
+                  stopBy: end
+                  kind: string_content
+rule:
+  kind: call
+  matches: webrepl.start(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/rules/python/security/python-webrepl-hardcoded-secret-python.yml b/rules/python/security/python-webrepl-hardcoded-secret-python.yml
new file mode 100644
index 00000000..aa04e5a5
--- /dev/null
+++ b/rules/python/security/python-webrepl-hardcoded-secret-python.yml
@@ -0,0 +1,54 @@
+id: python-webrepl-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  webrepl.start(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^webrepl.start$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                has:
+                  stopBy: end
+                  kind: string_content
+rule:
+  kind: call
+  matches: webrepl.start(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml b/tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml
new file mode 100644
index 00000000..e6b3959a
--- /dev/null
+++ b/tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml
@@ -0,0 +1,29 @@
+id: python-pymongo-empty-password-python
+snapshots:
+  ? |
+    pymongo.MongoClient(password="")
+  : labels:
+    - source: pymongo.MongoClient(password="")
+      style: primary
+      start: 0
+      end: 32
+    - source: pymongo.MongoClient
+      style: secondary
+      start: 0
+      end: 19
+    - source: password
+      style: secondary
+      start: 20
+      end: 28
+    - source: '""'
+      style: secondary
+      start: 29
+      end: 31
+    - source: password=""
+      style: secondary
+      start: 20
+      end: 31
+    - source: (password="")
+      style: secondary
+      start: 19
+      end: 32
diff --git a/tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml
new file mode 100644
index 00000000..473e1741
--- /dev/null
+++ b/tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml
@@ -0,0 +1,33 @@
+id: python-pymongo-hardcoded-secret-python
+snapshots:
+  ? |
+    pymongo.MongoClient(password="a")
+  : labels:
+    - source: pymongo.MongoClient(password="a")
+      style: primary
+      start: 0
+      end: 33
+    - source: pymongo.MongoClient
+      style: secondary
+      start: 0
+      end: 19
+    - source: password
+      style: secondary
+      start: 20
+      end: 28
+    - source: a
+      style: secondary
+      start: 30
+      end: 31
+    - source: '"a"'
+      style: secondary
+      start: 29
+      end: 32
+    - source: password="a"
+      style: secondary
+      start: 20
+      end: 32
+    - source: (password="a")
+      style: secondary
+      start: 19
+      end: 33
diff --git a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml b/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml
index 065843a3..7d5c779e 100644
--- a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml
+++ b/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml
@@ -18,3 +18,39 @@ snapshots:
       style: secondary
       start: 89
       end: 101
+  ? "requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', ''))  \n"
+  : labels:
+    - source: requests.auth.HTTPBasicAuth('user', '')
+      style: primary
+      start: 62
+      end: 101
+    - source: requests.auth.HTTPBasicAuth
+      style: secondary
+      start: 62
+      end: 89
+    - source: ''''''
+      style: secondary
+      start: 98
+      end: 100
+    - source: ('user', '')
+      style: secondary
+      start: 89
+      end: 101
+  'requests.get(''https://httpbin.org/basic-auth/user/pass'', auth=requests.auth.HTTPBasicAuth(''username'', ''''))      ':
+    labels:
+    - source: requests.auth.HTTPBasicAuth('username', '')
+      style: primary
+      start: 62
+      end: 105
+    - source: requests.auth.HTTPBasicAuth
+      style: secondary
+      start: 62
+      end: 89
+    - source: ''''''
+      style: secondary
+      start: 102
+      end: 104
+    - source: ('username', '')
+      style: secondary
+      start: 89
+      end: 105
diff --git a/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml b/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml
new file mode 100644
index 00000000..c9e19b40
--- /dev/null
+++ b/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml
@@ -0,0 +1,29 @@
+id: python-webrepl-empty-password-python
+snapshots:
+  ? |
+    webrepl.start(password="")
+  : labels:
+    - source: webrepl.start(password="")
+      style: primary
+      start: 0
+      end: 26
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: '""'
+      style: secondary
+      start: 23
+      end: 25
+    - source: password=""
+      style: secondary
+      start: 14
+      end: 25
+    - source: (password="")
+      style: secondary
+      start: 13
+      end: 26
diff --git a/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml
new file mode 100644
index 00000000..a18db1cf
--- /dev/null
+++ b/tests/__snapshots__/python-webrepl-hardcoded-secret-python-snapshot.yml
@@ -0,0 +1,64 @@
+id: python-webrepl-hardcoded-secret-python
+snapshots:
+  ? |
+    webrepl.start(password="12345")
+  : labels:
+    - source: webrepl.start(password="12345")
+      style: primary
+      start: 0
+      end: 31
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: '12345'
+      style: secondary
+      start: 24
+      end: 29
+    - source: '"12345"'
+      style: secondary
+      start: 23
+      end: 30
+    - source: password="12345"
+      style: secondary
+      start: 14
+      end: 30
+    - source: (password="12345")
+      style: secondary
+      start: 13
+      end: 31
+  ? |
+    webrepl.start(password="mypassword")
+  : labels:
+    - source: webrepl.start(password="mypassword")
+      style: primary
+      start: 0
+      end: 36
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: mypassword
+      style: secondary
+      start: 24
+      end: 34
+    - source: '"mypassword"'
+      style: secondary
+      start: 23
+      end: 35
+    - source: password="mypassword"
+      style: secondary
+      start: 14
+      end: 35
+    - source: (password="mypassword")
+      style: secondary
+      start: 13
+      end: 36
diff --git a/tests/python/python-pymongo-empty-password-python-test.yml b/tests/python/python-pymongo-empty-password-python-test.yml
new file mode 100644
index 00000000..581eaf8e
--- /dev/null
+++ b/tests/python/python-pymongo-empty-password-python-test.yml
@@ -0,0 +1,7 @@
+id: python-pymongo-empty-password-python
+valid:
+  - |
+    pymongo.MongoClient(password=os.env['secret'])
+invalid:
+  - |
+    pymongo.MongoClient(password="")
diff --git a/tests/python/python-pymongo-hardcoded-secret-python-test.yml b/tests/python/python-pymongo-hardcoded-secret-python-test.yml
new file mode 100644
index 00000000..43301bc2
--- /dev/null
+++ b/tests/python/python-pymongo-hardcoded-secret-python-test.yml
@@ -0,0 +1,9 @@
+id: python-pymongo-hardcoded-secret-python
+valid:
+  - |
+    pymongo.MongoClient(password=os.env['secret'])
+  - |
+    pymongo.MongoClient(password=os.getenv('secret'))
+invalid:
+  - |
+    pymongo.MongoClient(password="a")
diff --git a/tests/python/python-webrepl-empty-password-python-test.yml b/tests/python/python-webrepl-empty-password-python-test.yml
new file mode 100644
index 00000000..1696ea54
--- /dev/null
+++ b/tests/python/python-webrepl-empty-password-python-test.yml
@@ -0,0 +1,7 @@
+id: python-webrepl-empty-password-python
+valid:
+  - |
+    webrepl.start(password=SECURE_PASSWORD_CONFIG["password"])
+invalid:
+  - |
+    webrepl.start(password="")
diff --git a/tests/python/python-webrepl-hardcoded-secret-python-test.yml b/tests/python/python-webrepl-hardcoded-secret-python-test.yml
new file mode 100644
index 00000000..a7309bdd
--- /dev/null
+++ b/tests/python/python-webrepl-hardcoded-secret-python-test.yml
@@ -0,0 +1,9 @@
+id: python-webrepl-hardcoded-secret-python
+valid:
+  - |
+    webrepl.start(password=os.getenv('PASSWORD'))
+invalid:
+  - |
+    webrepl.start(password="mypassword")
+  - |
+    webrepl.start(password="12345")