django-init icon indicating copy to clipboard operation
django-init copied to clipboard

Published 20 hours ago verified publisher icon Fueled

Source code analysis using Semgrep

Open mmadil opened this issue 4 years ago • 3 comments

Why was this change necessary?

I have been using django-init to kickstart most of my Django projects. In addition, I add a layer of security to my projects using semgrep - an easy-to-use static analysis tool. It is highly configurable and customizable. I think adding it here will enhance the security of downstream django-init users.

Just a way of saying - Thank you! :+1:

How does it address the problem?

The bare-bone django-init template is amazing and follows security best practices. The real pain starts when developers start developing their applications. The added rules (for python, django, and secrets detection) ensure that the downstream users also build secure and performant applications. Example -

  • There is a rule to use the count method (over len) to determine the number of records - improves performance.
  • There is a rule for avoiding insecure deserialization - improves security.
  • There is a rule to avoid usage of template variables in script tags - this is addressed here - https://github.com/Fueled/django-init/commit/c2dbf11596704f0c80c8f2cca2e70f080747f651

The rules for secret detection ensure that sensitive keys do not get leaked through git history.

Are there any side effects?

I have tested it a few times, none so far.

PS: This feature is optional, and users can enable it along with pre-commit hooks.

mmadil avatar Oct 21 '21 18:10 mmadil

Looks interesting. We'll try it out! Thanks!

CuriousLearner avatar Oct 21 '21 18:10 CuriousLearner

Thanks, @mmadil for the kind words and for writing a detailed explanation. There are a few things I would like to be enhanced to this PR.

  • Move the semgrep config to a .semgrep.yml file so it can be run from anywhere.
  • Add a CI level check for GitHub actions in .github/workflows/
  • Add .venv in the --exclude option
  • Change cookiecutter variable to say something like add_static_analysis_with_semgrep
  • Add check command in the make lint command as well.

Really appreciate you taking the time to submit this PR. Cheers! 🎉

theskumar avatar Oct 22 '21 13:10 theskumar

Hey @theskumar, I was looking into the semgrep config part. AFAIK the .semgrep.yml file allows us to write custom rules and then use it. So it is not a configuration file of sorts.

Since we are using the semgrep registry to pull in the latest rules, how should I proceed with this?

Should I add a shell script to run with the desired config or rely on make lint ?

make lint will have all the config mentioned -

https://github.com/Fueled/django-init/blob/1a432d7d0c20913fd5c953c2ea3c35e867949318/%7B%7Bcookiecutter.github_repository%7D%7D/.pre-commit-config.yaml#L36-L43

mmadil avatar Oct 24 '21 10:10 mmadil