Skip to content

Commit

Permalink
Scan python with safety (#57)
Browse files Browse the repository at this point in the history
* In requirements.txt targets, use bh venv so that we can use automatically installed pipenv

* Use docker kennethreitz/pipenv to build requirements files instead of installing it

* Add python/safety

* Add python/safety via docker and generate reqs using jq via docker

* Remove reliance on pipfile.lock in requirements targets
  • Loading branch information
charlieparkes authored Jul 27, 2020
1 parent 8730ede commit 09e3e14
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
2 changes: 1 addition & 1 deletion Makefile.venv
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ $(BUILD_HARNESS_REQ): $(BUILD_HARNESS_REQ_TEMPLATE)

$(BUILD_HARNESS_PIPFILE): $(BUILD_HARNESS_REQ)
@if [ -f $@ ]; then echo "Removing previously generated build-harness Pipfile" && rm $@; fi
if [ -n "$$(which pipenv 2>/dev/null)" ]; then \
@if [ -n "$$(which pipenv 2>/dev/null)" ]; then \
echo "Generating $@"; \
if [ -n "$(LOCAL_PROJECT_PYTHON_VERSION)" ]; then \
echo "[requires]" >> $@; \
Expand Down
11 changes: 10 additions & 1 deletion modules/python/Makefile.security
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
BANDIT=$(call which,bandit)
BANDIT_FLAGS=-ll -ii
SAFETY_FLAGS=check

PYTHON_SECURITY_TARGETS?=$(shell find . $(PYTHON_TARGETS_FIND_FLAGS) -not -path "*/tests/*" -not -path "*/docs/*" -not -name "setup.py")

Expand All @@ -20,8 +21,16 @@ python/bandit: bh/venv
@$(MAKE) python/scan/announce/bandit
@$(BANDIT) $(PYTHON_SECURITY_TARGETS) $(BANDIT_FLAGS)


.PHONY: python/safety
## Scan python project for security vulnerabilities with safety
python/safety: Pipfile.lock
@$(MAKE) python/scan/announce/safety
@$(DOCKER) run -i --rm stedolan/jq -r <Pipfile.lock '.default | to_entries[] | .key + .value.version' | $(DOCKER) run -i --rm pyupio/safety safety $(SAFETY_FLAGS) --stdin


.PHONY: python/scan
## Scan python files for security vulnerabilities
python/scan: bh/venv
@$(MAKE) python/scan/targets python/bandit
@$(MAKE) python/scan/targets python/bandit python/safety
@echo "Done."

0 comments on commit 09e3e14

Please sign in to comment.