I am a big fan of code scanning tools that help you improve the quality of your code-base. I have already written about
import-linter, which helps to adhere to your architecture by validating imports. Another great tool is
bandit. It scans your python code for common security problems. When I ran it on MembershipNerd, I got the following warning:
Test results: >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'secret' Severity: Low Confidence: Medium Location: ./src/testhelpers/users.py:10 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 9 10 SUPERUSER = UserCredentials(email="firstname.lastname@example.org", password="secret")
The scanner identified a problem because hard-coded default value for a parameter called “password” could be a potential security issue. In this case, it is not an issue, because this is only part of a test-suite.
The great thing about
bandit is that it has built-in-support for common python web-frameworks, like django and flask, and templating engines, like jinja2 and mako. A complete list of issues that it can detect can be found in the
I can highly recommend running
bandit as part of your git pre-commit-hook and your CI-pipeline.