Pysa is a security-oriented static analysis tool built on top of a Python type checker, Pyre. The user defines “sources,” where data originates, and “sinks,” where data from a certain source should not end up, and Pysa tracks the flow of data through the program to check if a source connects to a sink. Pysa also comes with tools to deal with false positives, including sanitizers that allow users to encode domain knowledge on benign transformations that should not raise an issue, and features that attach metadata to data flows. Pysa has been used on the Instagram codebase and detected 44% of issues engineers identified in the first half of 2020.