This document explains the security analysis tools integrated into the project's CI/CD pipeline.
The project uses multiple Python-native security tools to provide comprehensive security analysis:
- Static Code Analysis: Find security vulnerabilities in source code
- Dependency Scanning: Check for known vulnerabilities in dependencies
- Security Pattern Detection: Identify security anti-patterns and misconfigurations
- Code Quality Security: Additional security-focused code quality checks
Purpose: Static security analysis for Python code
What it finds:
- Hardcoded passwords, API keys, SQL injection vulnerabilities
- Use of insecure cryptographic functions
- Shell injection vulnerabilities
- Path traversal issues
- Insecure random number generation
Configuration: pyproject.toml and .bandit
Purpose: Dependency vulnerability scanning
What it finds:
- Known CVE vulnerabilities in Python packages
- Outdated packages with security fixes
- Packages with known security advisories
Data source: PyUp.io vulnerability database
Purpose: Advanced security pattern analysis
What it finds:
- OWASP Top 10 vulnerabilities
- Framework-specific security issues (Flask, SQLAlchemy)
- Custom security patterns
- Secret detection (API keys, tokens)
Configuration: .semgrepignore
Purpose: Code quality with security focus
What it finds:
- Security-related code smells
- Potential security issues in code structure
- Best practice violations
- Runs on every pull request
- Includes basic security as part of code quality
- Fast feedback for developers
- Comprehensive security analysis
- Runs on push to main and PRs
- Weekly scheduled scans
- Generates detailed security reports
- Posts security summaries to PRs
Security analysis generates several types of reports:
bandit-report.json/txt- Detailed security issuessafety-report.json/txt- Vulnerability findingssemgrep-report.json/txt- Security patternspylint-security.json/txt- Code quality security issuessecurity-summary.md- Executive summary
Automated comments on pull requests include:
- Total security issues found
- Summary by tool
- Links to detailed reports
- Recommendations for fixes
Central configuration for most tools:
[tool.bandit]
exclude_dirs = [".venv", "tests"]
skips = ["B101"] # Allow assert in tests
[tool.black]
line-length = 88
[tool.isort]
profile = "black"Additional Bandit-specific configuration for complex scenarios.
Patterns to exclude from Semgrep scanning:
.venv/
tests/
__pycache__/
- Review security comments on PRs before merging
- Fix critical issues identified by security tools
- Update dependencies regularly to get security fixes
- Follow secure coding practices to prevent common vulnerabilities
- Monitor security reports from scheduled scans
- Triage vulnerabilities by severity and exploitability
- Update security tool configurations as needed
- Review and approve security-related changes
If a security tool reports a false positive:
- Verify it's actually a false positive
- Add appropriate exclusions to configuration files
- Document the reasoning in commit messages
If security tools fail:
- Check the workflow logs for specific errors
- Verify tool configurations are valid
- Update tool versions if needed
- Tools are configured with
|| trueto not break builds
If security scans are too slow:
- Review file exclusion patterns
- Consider running full scans only on schedule
- Optimize Semgrep rule sets
To run security tools locally:
# Install tools
pip install bandit safety semgrep pylint
# Run individual tools
bandit -r app/
safety check
semgrep --config=auto app/
pylint app/ --load-plugins=pylint.extensions.securityThe security pipeline tracks:
- Total vulnerabilities found by severity
- Trend analysis over time
- Mean time to resolution for security issues
- Coverage of security analysis