pygraphistry
pygraphistry copied to clipboard
graphistry
Setup regular security audits with bandit
Background
Issue #801 recommended adding security scanning to catch potential vulnerabilities in Python code.
Proposed Tool: Bandit
Bandit is a security linter designed to find common security issues in Python code:
- SQL injection vulnerabilities
- Use of insecure functions (eval, exec, pickle)
- Hardcoded passwords/secrets
- Insecure temp file usage
- Weak cryptographic algorithms
Implementation Options
Option 1: Add to CI/CD (Recommended)
Add bandit check to GitHub Actions workflow:
- name: Security scan with bandit
run: |
pip install bandit
bandit -r graphistry/ -ll # Only show medium/high severity
Option 2: Pre-commit Hook
Add to .pre-commit-config.yaml:
- repo: https://github.com/PyCQA/bandit
rev: 1.7.5
hooks:
- id: bandit
args: ['-ll'] # Only medium/high severity
Option 3: Manual Periodic Audits
Run manually before releases:
bandit -r graphistry/ -f html -o security-report.html
Baseline & Configuration
On first run, establish baseline and configure exceptions in .bandit:
exclude_dirs:
- /tests/
- /versioneer.py
skips:
- B101 # assert_used - we use asserts in tests
- B601 # paramiko_calls - if we use paramiko intentionally
Priority
Long-term improvement (not urgent)
Related Issues
- #801 - Original issue recommending this improvement
🤖 Generated with Claude Code
