Page MenuHomePhabricator

Create safety (w/ poetry support) ci yaml template
Closed, ResolvedPublic

Description

WIP example here: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/main/python-safety-db/python-safety-db-ci.yml

Further needs:

  1. Need to support consumer-supplied patterns for multiple namings of requirements files (req.txt, test-requirements.txt, dev-requirements.txt, etc.)
  2. Need to support poetry.lock and pipfile.lock files, as exported to requirements format, with minimal error-handling
  3. Add additional warnings about unpinned package versions? safety already does this as part of its standard warn-level output, so maybe that's fine?

Event Timeline

sbassett triaged this task as Medium priority.Feb 15 2022, 9:33 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett added a project: SecTeam-Processed.
sbassett changed the task status from Open to In Progress.Feb 16 2022, 7:44 PM

Going to call this one done for now. Here's the template, still on a development branch. Per the comment here, it should be noted that this is currently a best effort to run python safety in CI against various python codebases. It currently behaves naively in that it merely searches for requirements.txt, poetry.lock and pipfile.lock files (including nested files) without further considering common assumptions or pythonic programming paradigms. It might be nice to eventually make this template a bit smarter and support things like requirements.txt files with custom names, validating the existence of a pyproject.toml file, etc. but I also like the way this template currently helps hint at such potential issues via its output.

sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Done on the user-sbassett board.