search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Add pre-commit hook #336

Open lucomsky opened 3 years ago

lucomsky commented 3 years ago

Description

Add pre-commit hook to safety repository so one can use it directly in pre-commit-config.yaml

---
repos:
  - repo: https://github.com/pyupio/safety.git
    rev: master
    hooks:
      - id: safety
        args: [check]

See https://github.com/rubik/xenon/blob/master/.pre-commit-hooks.yaml for example.

krasnovmv commented 3 years ago

Why pre-commit-hooks-safety is not suitable?

Jesse-Bakker commented 3 years ago

Why pre-commit-hooks-safety is not suitable?

One uses safety to check for known vulnerabilities in dependencies. Using safety from a third-party source kinda defeats the purpose

bagerard commented 2 years ago

I'd like to revive this post. Many of the well known code-quality tools have integrated pre-commit in their own repository (pylint, flake8, bandit, black, isort, etc), an assumption of the pre-commit tool is that you trust the hooks so as Jesse-Bakker said, having an unnecessary dependency is adding security risk.

If you are willing to accept a PR, let me know. More than happy to help on this.

And I'll take the opportunity to thank you for this lib, it's great!

yeisonvargasf commented 1 year ago

@bagerard we are open to accepting PRs!

bagerard commented 1 year ago

I had a look into this and came to the conclusion that the current CLI of safety is not very "pre-commit friendly". We could integrate a basic config like this one but due to safety current cli, we have to make some assumption on the repository structure or name of the requirements.txt file.

In fact pre-commit hooks work best with a CLI like some_entry_point file1 file2 file3

and currently safety check expects e.g. -r requirements_1.txt -r requirements_2.txt.

It's a subtle difference but this drastically complicates the integration, this is the reason why Lucas-C uses a custom entry point (a wrapper on top of "safety check" that changes its interface to the one suggested above --> see here.

I think we have 4 options:

1) modify safety check interface so that it offers a safety check req1.txt req2.txtinterface

2) add a new entry point in safety tailored for the pre-commit hook (basically porting the entrypoint from Lucas-C in this repo)

3) add a pre-commit config that would be customized for 1 use case, the most widespread (i.e 1 requirements.txt file), if users would need to deviate from that use case, it would be possible but clumsy (as users would need to workaround the assumptions made to fit that use case)

4) add most basic pre-commit config, which wouldn't work out of the box and require customization to fit the users' needs, customization wouldn't necessarily be clumsy

Discussion I guess we discard 1) to avoid breaking everyone's code, and I would discard 3) because configuration would be difficult, which leaves us with option 2 and 4. It all depends if you are ok with having another entry point in safety to allow for a smooth pre-commit integration or prefer to keep the integration with minimal invasiveness (i.e only a .pre-commit-hooks.yaml file)

Let me know your preference @yeisonvargasf

sshishov commented 1 year ago

I know that we have a pre-commit hook for safety, but it is named differently and cannot be used as local repository hook.

Also the current implementation of safety does not allow to use it directly in the pre-commit because of --file flag accepting one file when pre-commit is sending the files as just arguments

Would it be possible to collaborate with @Lucas-C and move the functionality here from https://github.com/Lucas-C/pre-commit-hooks-safety?

@bagerard what is the conclusion here? are we going to add the support?

I would make the point 1 as a solution and release the breaking release. I do not think that it is a big hassle to change the command from safety check -file file1.txt -file file2.txt -f file3.txt into safety check file1.txt file2.txt file3.txt

P.S. I am okay with second point as well... like if we add custom entry point... meaning we have to add either custom command like safety pre-commit-check ... or we have to even add extra binary...

Lucas-C commented 1 year ago

Hi!

I am the maintainer of https://github.com/Lucas-C/pre-commit-hooks-safety and just discovered this issue 😊

This sounds like a great idea! You are welcome to take code from my repository to implement this.

I think the main question is: do the maintainers of this repo ( https://github.com/pyupio/safety ) want to maintain this hook?

Jwomers commented 1 year ago

Hi all!

Yes we definitely want to support this feature! We’ll have a quick internal sync on it so we can choose a direction, and then get back to this thread 😊

Justin

On Thu, Apr 6, 2023 at 4:07 AM Lucas Cimon @.***> wrote:

Hi!

I am the maintainer of https://github.com/Lucas-C/pre-commit-hooks-safety and just discovered this issue 😊

This sounds like a great idea! You are welcome to take code from my repository to implement this.

I think the main question is: do the maintainers of this repo ( https://github.com/pyupio/safety ) want to maintain this hook?

— Reply to this email directly, view it on GitHub https://github.com/pyupio/safety/issues/336#issuecomment-1498891369, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAV6QQTTTHBWG2OUJNVDODW72PVRANCNFSM4XUCRUJQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

bagerard commented 6 months ago

any update on this @Jwomers ?