I am a big fan of code scanning tools that help you improve the quality of your code-base. I have already written about import-linter
, which helps to adhere to your architecture by validating imports. Another great tool is bandit
. It scans your python code for common security problems. When I ran it on MembershipNerd, I got the following warning:
Test results:
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'secret'
Severity: Low Confidence: Medium
Location: ./src/testhelpers/users.py:10
More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html
9
10 SUPERUSER = UserCredentials(email="admin@example.com", password="secret")
The scanner identified a problem because hard-coded default value for a parameter called “password” could be a potential security issue. In this case, it is not an issue, because this is only part of a test-suite.
The great thing about bandit
is that it has built-in-support for common python web-frameworks, like django and flask, and templating engines, like jinja2 and mako. A complete list of issues that it can detect can be found in the bandit
-documentation.
I can highly recommend running bandit
as part of your git pre-commit-hook and your CI-pipeline.
If you liked this post, please, do share it:
Thanks, for reading (and sharing)! 🥳