π§ΌCI/CD Security for Coding
Here, we are going to see how I personally manage my CI/CD pipeline for a python project. The goal is to show you which tools and kind of tools to use to keep a clean and safe codebase.
Formatter
A code formatter is an automated tool that reformats source code according to predefined style guidelines and conventions. Its primary purpose is to standardize the formatting of code across a project or team, ensuring consistency in aspects like indentation, spacing, line breaks, and alignment. This standardization enhances code readability and maintainability by making the code visually appealing and easier to understand.
Ruff code formatter from Astral is the one I recommend because it's written in Rust and it's extremely fast.
Linter
A linter is a static code analysis tool used to identify programming errors, bugs, stylistic errors, quality, and suspicious constructs in source code before it is executed or compiled. Modern linters are used across numerous programming languages and go beyond simple syntax checking. They analyze code for potential vulnerabilities, code smells, non-adherence to style guides and unsafe language features. These tools typically parse source code into tokens and build an Abstract Syntax Tree (AST) to perform checks against a predefined set of rules, providing feedback that helps improve code quality, consistency, and maintainability.
Personally I use Ruff linter for the same reasons than the formatter.
Security oriented static code analyser
A security-oriented static code analyzer, also known as Static Application Security Testing (SAST), is a specialized tool that examines an application's source code, bytecode, or binary code without executing it to identify potential security vulnerabilities and flaws. This methodology is a form of white-box testing, where the tool analyzes the code's structure and logic to detect risks such as injection flaws, insecure authentication, broken access control, hardcoded secrets and improper error handling. These tools use techniques like taint analysis and data flow analysis to trace potentially dangerous inputs through the code to vulnerable functions, flagging instances where user-controllable data is not properly sanitized. The goal is to proactively secure software by embedding security checks into the development process, reducing the cost and complexity of fixing issues later.
Here's what I use:
Dependencies scanner
A dependency scanner is a tool used to automatically identify, analyze, and secure software dependencies within an application to detect vulnerabilities, outdated libraries and potential security risks. It works by scanning the codebase for all open-source components and their versions, then cross-referencing them against known vulnerabilities in public databases like the National Vulnerability Database (NVD). This process, often referred to as Software Composition Analysis (SCA), helps organizations maintain a secure software supply chain by uncovering risks such as known security flaws, license compliance issues, and operational disruptions caused by unpatched dependencies. Tools like OWASP Dependency-Check, GitLab's dependency scanning and Aikido's SCA scanner exemplify this practice by using analyzers to gather evidence about dependencies, determine their Common Platform Enumeration (CPE) identifiers and generate reports linking to associated Common Vulnerability and Exposure (CVE) entries.
Here's some python's dependency scanner:
Secrets Scanner
A secrets scanner is a tool that automatically detects sensitive information such as API keys, credentials, tokens, and private certificates that may have been accidentally committed to a repository. These secrets, if exposed, can lead to severe security incidents including account takeovers, infrastructure compromise and data breaches. Secrets scanners work by analyzing file contents, Git history and configuration files using pattern matching, entropy analysis and customizable rules to detect both high-entropy random strings and known secret formats. Integrating a secrets scanner into CI/CD ensures sensitive data is caught before it ever reaches production or a public repository.
Here's one I strongly recommend:
Last updated