search

macxred / cashctrl_ledger

Implementation of the abstract pyledger.LegderEngine interface with CashCtrl accounting service.
MIT License
0 stars 0 forks source link

Implement automated security checks as a GitHub action. #49

Open AlexTheWizardL opened 1 week ago

AlexTheWizardL commented 1 week ago

This issue includes the following steps:

  1. Find a package that performs security check operations and is used across multiple open-source projects.
  2. Implement security checks.
    • @AlexTheWizardL will research common security check packages and present possible implementation to @lasuk
  3. Create a GitHub action that will perform code checks.
  4. Align code base with new rules
For security checks in Python projects, several open source projects use specific tools and configurations to ensure their code is secure. Here are some popular tools and how they are used in various open source projects: ### 1. **Bandit** Bandit is a tool designed to find common security issues in Python code. **Installation**: ```bash pip install bandit ``` **Usage**: ```bash bandit -r path/to/your/code ``` **Configuration**: You can create a `.bandit` configuration file to customize the checks. Here is an example: ```ini [bandit] targets: path/to/your/code skips: B101,B404 ``` ### Examples of Open Source Projects Using Bandit: #### **OpenStack** - **Linter**: `bandit` - **Rules**: - Uses a `.bandit.yml` configuration file. - Example configuration: ```yaml excludes: - "/tests/" skips: [B101, B404] ``` #### **Django** - **Linter**: `bandit` - **Rules**: - Uses a `.bandit.yml` configuration file. - Example configuration: ```yaml excludes: - "/tests/" skips: [B101, B404] ``` ### 2. **Safety** Safety checks your installed dependencies for known security vulnerabilities. **Installation**: ```bash pip install safety ``` **Usage**: ```bash safety check ``` **Configuration**: You can create a requirements file or use your existing one and run safety against it. ### Examples of Open Source Projects Using Safety: #### **Pipenv** - **Linter**: `safety` - **Rules**: - Uses the default configuration to check the dependencies. ### 3. **Snyk** Snyk scans for vulnerabilities in dependencies and provides fixes. **Installation**: ```bash pip install snyk ``` **Usage**: ```bash snyk test ``` ### Examples of Open Source Projects Using Snyk: #### **TensorFlow** - **Linter**: `snyk` - **Rules**: - Uses the default configuration to check the dependencies. ### How to Integrate Security Checks in Your Project To integrate these security tools into your project, follow these steps: 1. **Install the tools**: ```bash pip install bandit safety snyk ``` 2. **Create configuration files**: - `.bandit.yml` for Bandit: ```yaml excludes: - "/tests/" skips: [B101, B404] ``` - Ensure your dependencies are listed in a `requirements.txt` or `Pipfile`. 3. **Run the tools**: - **Bandit**: ```bash bandit -r path/to/your/code ``` - **Safety**: ```bash safety check ``` - **Snyk**: ```bash snyk test ``` 4. **Integrate with CI/CD**: Add these tools to your CI/CD pipeline to ensure security checks are performed on every build. For example, in a GitHub Actions workflow: ```yaml name: Security Checks on: [push] jobs: bandit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Set up Python uses: actions/setup-python@v2 with: python-version: '3.x' - name: Install dependencies run: | python -m pip install --upgrade pip pip install bandit safety snyk - name: Run Bandit run: bandit -r path/to/your/code - name: Run Safety run: safety check - name: Run Snyk run: snyk test ```

Security checks should be included for the cashctrl_api and cashctrl_ledger packages

AlexTheWizardL commented 5 days ago

Design Problem Solution: Implementing Security Checks in a Python Package

Problem Statement:

Ensure the security of your Python package by integrating comprehensive security checks to detect and mitigate potential vulnerabilities.

Objectives:

  1. Perform static code analysis to check for vulnerabilities.
  2. Check for vulnerabilities in dependencies.

Solution Design:

  1. Static Code Analysis with Bandit

    Motivation: Identify security vulnerabilities in your code without executing it.

    Usage in Open Source Projects: Bandit is widely used in projects such as OpenStack and Django to scan code during development for potential security issues.

    Configuration: Bandit can be configured via a .bandit file. Here’s an example configuration used in OpenStack:

    # .bandit
exclude:
 - tests/
skips:
 - B101  # Skip Use of assert detected.

    Implementation:

    pip install bandit
bandit -r your_package

  2. Dependency Vulnerability Checks with Safety

    Motivation: Ensure third-party libraries are free from known vulnerabilities.

    Usage in Open Source Projects: Safety is used by projects like Requests and Flask to ensure that their dependencies do not have known vulnerabilities, integrated into their CI/CD pipelines.

    Configuration: Safety can be configured to ignore specific vulnerabilities. Here’s an example command:

    safety check --ignore 39462 --ignore 39463

    Implementation:

    pip install safety
safety check -r requirements.txt --ignore 39462 --ignore 39463

By following this design, we ensure the Python package is secure, with robust checks for code vulnerabilities and secure dependencies.