Add Makefile.security inside modules/python with python/bandit target (…

…cloudposse#52) * Add Makefile.security inside modules/python with python/bandit target * Use generic PYTHON_LINT_TARGETS since static analysis like bandit is indeed linting. Add newline to requirements.template * Combine common Lint and Security targets. Use lint Makefile style for securit Makefile
charlieparkes · Jul 1, 2020 · 428a9a7 · 428a9a7
2 parents cf64788 + d1a2aea
commit 428a9a7
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/modules/python/Makefile b/modules/python/Makefile
@@ -1,5 +1,11 @@
 PYTHON := $(shell which python 2>/dev/null)
 
+PYTHON_TARGETS_FIND_FLAGS=-name "*.py" -not -path "*/.venv/*" -not -path "*/$(BUILD_HARNESS_VENV_NAME)/*" -not -path "*/.tox/*" -not -path "*/.egg*" -not -path "*/frontend/*" -not -path "*/dist/*" -not -path "*/build/*"
+
+PYTHON_LINT_TARGETS?=$(shell find . $(PYTHON_TARGETS_FIND_FLAGS))
+PYTHON_SECURITY_TARGETS?=$(shell find . $(PYTHON_TARGETS_FIND_FLAGS) -not -path "*/tests/*")
+
+
 .PHONY: python/check
 python/check: ; $(call assert-set,PYTHON) && echo "Found python: $(PYTHON)"
 

diff --git a/modules/python/Makefile.security b/modules/python/Makefile.security
@@ -0,0 +1,25 @@
+BANDIT=$(call which, bandit)
+BANDIT_FLAGS=-ll -ii
+
+
+.PHONY: python/security/targets
+python/security/targets:
+	@VAR=( $(PYTHON_SECURITY_TARGETS) ); echo "Discovered $${#VAR[@]} files:"
+	@echo "$$(echo $(PYTHON_SECURITY_TARGETS) | tr ' ' '\n')"
+
+.PHONY: python/security/announce/%
+python/security/announce/%:
+		@VAR=( $(PYTHON_SECURITY_TARGETS) ); echo "Checking $${#VAR[@]} files with $*..."
+
+
+.PHONY: python/security/bandit
+python/security/bandit: bh/venv
+	$(call assert-set,BANDIT)
+	@$(MAKE) python/security/announce/bandit
+	@$(BANDIT) $(PYTHON_SECURITY_TARGETS) $(BANDIT_FLAGS)
+
+.PHONY: python/security
+python/security: python/security/targets python/security/bandit
+
+.PHONY: python/scan
+python/scan: python/security
diff --git a/modules/python/Makefile.style b/modules/python/Makefile.style
@@ -13,8 +13,6 @@ FLAKE8_FLAGS:=--select=B,C,E,F,W,T4,B9 --ignore=E203,E231,E266,E501,W503 --outpu
 # W503: https://github.com/psf/black/pull/36
 # E501: Let black handle line length
 
-PYTHON_LINT_TARGETS?=$(shell find . -name "*.py" -not -path "*/.venv/*" -not -path "*/$(BUILD_HARNESS_VENV_NAME)/*" -not -path "*/.tox/*" -not -path "*/.egg*" -not -path "*/frontend/*" -not -path "*/dist/*" -not -path "*/build/*")
-
 .PHONY: python/lint/targets
 python/lint/targets:
 	@VAR=( $(PYTHON_LINT_TARGETS) ); echo "Discovered $${#VAR[@]} files:"

diff --git a/requirements.template b/requirements.template
@@ -4,3 +4,4 @@ flake8
 isort
 autoflake
 docker-compose
+bandit
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,3 +4,4 @@ flake8 @@
     isort
     autoflake
     docker-compose
+    bandit