CuriousLearner
commented
3 years ago Looks interesting. We'll try it out! Thanks!
Closed mmadil closed 1 year ago
CuriousLearner
commented
3 years ago Looks interesting. We'll try it out! Thanks!
theskumar
commented
3 years ago Thanks, @mmadil for the kind words and for writing a detailed explanation. There are a few things I would like to be enhanced to this PR.
.semgrep.yml file so it can be run from anywhere. .github/workflows/.venv in the --exclude option add_static_analysis_with_semgrepmake lint command as well.Really appreciate you taking the time to submit this PR. Cheers! 🎉
mmadil
commented
3 years ago Hey @theskumar, I was looking into the semgrep config part. AFAIK the .semgrep.yml file allows us to write custom rules and then use it. So it is not a configuration file of sorts.
Since we are using the semgrep registry to pull in the latest rules, how should I proceed with this?
Should I add a shell script to run with the desired config or rely on make lint ?
make lint will have all the config mentioned -
I have been using django-init to kickstart most of my Django projects. In addition, I add a layer of security to my projects using semgrep - an easy-to-use static analysis tool. It is highly configurable and customizable. I think adding it here will enhance the security of downstream django-init users.
Just a way of saying - Thank you! :+1:
The bare-bone django-init template is amazing and follows security best practices. The real pain starts when developers start developing their applications. The added rules (for python, django, and secrets detection) ensure that the downstream users also build secure and performant applications. Example -
The rules for secret detection ensure that sensitive keys do not get leaked through git history.
I have tested it a few times, none so far.
PS: This feature is optional, and users can enable it along with pre-commit hooks.