[CHORE]: Additional Python Security ScannersΒ #415
Description
Improve Makefile linters with additional security tools.
- Update Makefile
- Update SECURITY.md
- Update docs
- Create custom configs
- Update CI/CD GitHub Actions
Consider a modular Makefile, like Makefile.security.
π‘οΈ Additional Python Security Scanners
1. Semgrep - Advanced pattern-based security scanner
# help: semgrep - Run Semgrep security patterns
.PHONY: semgrep semgrep-install
semgrep-install:
@echo "π₯ Installing Semgrep..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && python3 -m pip install semgrep"
semgrep:
@echo "π Running Semgrep security scan..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
semgrep --config=auto --severity=ERROR --severity=WARNING mcpgateway tests"2. Safety - Check dependencies for known vulnerabilities
# help: safety - Scan dependencies for known CVEs
.PHONY: safety
safety:
@echo "π‘οΈ Running Safety security scan..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet safety && \
safety check --json --continue-on-error"3. Vulture - Find dead code (security risk)
# help: vulture - Find dead/unreachable code
.PHONY: vulture
vulture:
@echo "π¦
Finding dead code with Vulture..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet vulture && \
vulture mcpgateway --min-confidence 80"4. Dodgy - Look for suspicious code patterns
# help: dodgy - Scan for suspicious code patterns
.PHONY: dodgy
dodgy:
@echo "π΅οΈ Scanning for dodgy patterns..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet dodgy && \
dodgy --ignore-paths venv,build,dist"5. Dlint - Security-focused linter
# help: dlint - Run Dlint security linter
.PHONY: dlint
dlint:
@echo "π Running Dlint security checks..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet dlint && \
python3 -m flake8 --select=DUO mcpgateway"6. GitLeaks - Scan for secrets/credentials
# help: gitleaks - Scan for exposed secrets in git history
.PHONY: gitleaks gitleaks-install
gitleaks-install:
@echo "π₯ Installing GitLeaks..."
@if [ "$$(uname)" = "Darwin" ]; then brew install gitleaks; \
elif [ "$$(uname)" = "Linux" ]; then \
wget -q https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_linux_amd64 -O /tmp/gitleaks && \
chmod +x /tmp/gitleaks && sudo mv /tmp/gitleaks /usr/local/bin/; \
fi
gitleaks:
@echo "π Scanning for secrets with GitLeaks..."
@gitleaks detect --source . -v || true7. PyUpgrade - Ensure modern Python patterns (security)
# help: pyupgrade - Upgrade Python syntax for security/performance
.PHONY: pyupgrade
pyupgrade:
@echo "β¬οΈ Checking for outdated Python patterns..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet pyupgrade && \
pyupgrade --py310-plus mcpgateway/**/*.py tests/**/*.py"8. Interrogate - Docstring coverage (security documentation)
# help: interrogate - Check docstring coverage
.PHONY: interrogate
interrogate:
@echo "π Checking docstring coverage..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet interrogate && \
interrogate -v mcpgateway --fail-under 80"9. Prospector - Meta-linter combining multiple tools
# help: prospector - Run Prospector meta-linter
.PHONY: prospector
prospector:
@echo "π Running Prospector comprehensive analysis..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet prospector[with_everything] && \
prospector mcpgateway --strictness high"10. CodeQL - GitHub's semantic code analysis
# help: codeql - Run GitHub CodeQL analysis (requires CodeQL CLI)
.PHONY: codeql codeql-install
codeql-install:
@echo "π₯ Installing CodeQL..."
@mkdir -p tools && cd tools && \
wget -q https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip && \
unzip -q codeql-linux64.zip && rm codeql-linux64.zip
codeql:
@echo "π Running CodeQL security analysis..."
@tools/codeql/codeql database create codeql-db --language=python
@tools/codeql/codeql database analyze codeql-db \
--format=sarif-latest --output=codeql-results.sarif \
-- python-security-and-qualityπ Enhanced Security Targets
Master Security Scan Target
# help: security-full - Run ALL security scanners
.PHONY: security-full
SECURITY_TOOLS := bandit safety pip-audit semgrep vulture dodgy dlint gitleaks osv-scan
security-full:
@echo "π‘οΈ Running comprehensive security scan..."
@set -e; for tool in $(SECURITY_TOOLS); do \
echo "ββββββββββββββββββββββββββββββββββββ"; \
echo "Running $$tool..."; \
$(MAKE) $$tool || true; \
done
@echo "β
Security scan complete"License Compliance Scanner
# help: license-scan - Check dependency licenses for compliance
.PHONY: license-scan
license-scan:
@echo "βοΈ Scanning licenses..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet licensecheck && \
licensecheck --zero --fails-only"Complexity Analysis (security perspective)
# help: xenon - Check code complexity thresholds
.PHONY: xenon
xenon:
@echo "𧬠Checking code complexity..."
@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
python3 -m pip install --quiet xenon && \
xenon --max-absolute B --max-modules B --max-average A mcpgateway"π Update the LINTERS List
Add these to the LINTERS variable:
LINTERS := isort flake8 pylint mypy bandit pydocstyle pycodestyle pre-commit \
ruff pyright radon pyroma pyrefly spellcheck importchecker \
pytype check-manifest markdownlint \
semgrep safety vulture dodgy dlint interrogate prospector xenonπ― Key Recommendations
-
Priority additions:
semgrep- Most comprehensive pattern-based scannersafety- Critical for dependency vulnerabilitiesgitleaks- Prevent credential exposure
-
Consider adding to pre-commit:
# .pre-commit-config.yaml - repo: https://github.com/returntocorp/semgrep rev: v1.45.0 hooks: - id: semgrep - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: - id: gitleaks
-
CI/CD Integration: These tools are particularly important in CI:
safety checksemgrep --config=autogitleaks detectpip-audit