From 09e3e145cec81ca74700189f7964112c365a3b00 Mon Sep 17 00:00:00 2001 From: Charlie Date: Mon, 27 Jul 2020 16:43:31 -0500 Subject: [PATCH] Scan python with safety (#57) * In requirements.txt targets, use bh venv so that we can use automatically installed pipenv * Use docker kennethreitz/pipenv to build requirements files instead of installing it * Add python/safety * Add python/safety via docker and generate reqs using jq via docker * Remove reliance on pipfile.lock in requirements targets --- Makefile.venv | 2 +- modules/python/Makefile.security | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Makefile.venv b/Makefile.venv index 812f4948..4c5c3351 100644 --- a/Makefile.venv +++ b/Makefile.venv @@ -44,7 +44,7 @@ $(BUILD_HARNESS_REQ): $(BUILD_HARNESS_REQ_TEMPLATE) $(BUILD_HARNESS_PIPFILE): $(BUILD_HARNESS_REQ) @if [ -f $@ ]; then echo "Removing previously generated build-harness Pipfile" && rm $@; fi - if [ -n "$$(which pipenv 2>/dev/null)" ]; then \ + @if [ -n "$$(which pipenv 2>/dev/null)" ]; then \ echo "Generating $@"; \ if [ -n "$(LOCAL_PROJECT_PYTHON_VERSION)" ]; then \ echo "[requires]" >> $@; \ diff --git a/modules/python/Makefile.security b/modules/python/Makefile.security index 627788c9..8cdb5fc4 100644 --- a/modules/python/Makefile.security +++ b/modules/python/Makefile.security @@ -1,5 +1,6 @@ BANDIT=$(call which,bandit) BANDIT_FLAGS=-ll -ii +SAFETY_FLAGS=check PYTHON_SECURITY_TARGETS?=$(shell find . $(PYTHON_TARGETS_FIND_FLAGS) -not -path "*/tests/*" -not -path "*/docs/*" -not -name "setup.py") @@ -20,8 +21,16 @@ python/bandit: bh/venv @$(MAKE) python/scan/announce/bandit @$(BANDIT) $(PYTHON_SECURITY_TARGETS) $(BANDIT_FLAGS) + +.PHONY: python/safety +## Scan python project for security vulnerabilities with safety +python/safety: Pipfile.lock + @$(MAKE) python/scan/announce/safety + @$(DOCKER) run -i --rm stedolan/jq -r