Scanning Python code for security issues via Snyk: the ‘industrial strength’ option
note: I am not at all affiliated to Snyk - just a fan of its quality features.
Snyk is a code scanning tool capable of detecting OWASP issues (Open Worldwide Application Security Project), following the CWE-NN standard (Common Weakness Enumeration) for identifying code security issues.
At time of writing, there is a free plan for individuals and small teams: https://snyk.io/plans/
Snyk supports many languages - here is the section for Python:
To add a Python repository to Snyk for scanning:
The project must have a setup.py and setup.cfg file, describing the project and its dependencies.
Note: normally setup.py and setup.cfg files are a modern way to describe how your code would be released as a Python package (for example to publish on pypi.org). However, even if you do not intend to publish your code as a package, I found it necessary to add these files.
Otherwise, I found Snyk does not recognise the project as a Python project.
A minimal setup.cfg file:
[egg_info] egg_base = . [tool:pytest] testpaths = .
note:
the [egg_info] section is used to specify the location of ‘egg package’ details on build
the [tool:pytest] section specifies where to look for unit tests
A minimal setup.py file, including the dependencies of the project:
import io from setuptools import find_packages from setuptools import setup with io.open("README.md", "rt", encoding="utf8") as f: readme = f.read() setup( name="my-app", description="My wonderful Python project.", long_description=readme, packages=find_packages(), include_package_data=True, zip_safe=False, install_requires=[], extras_require={"dev": ["flake8==6.1.0", "pyvan==1.2.2"]} )
Further reading about setup.py and setup.cfg files:
https://packaging.python.org/en/latest/guides/distributing-packages-using-setuptools/
Good luck with your scanning!
Comments
Post a Comment