Add phylum-ci

[maxrake]

The phylum-ci hook uses phylum to provide analysis of project dependencies from a lockfile during a commit containing that lockfile. The hook will fail and provide a report if any of the newly added/modified dependencies from the commit fail to meet the project risk thresholds for any of the five Phylum risk domains:

• Malicious Code
• Software Vulnerabilities
• Authorship Risk & Reputation
• License Misuse
• Engineering Risk

See Phylum Risk Domains documentation for more detail.

The hook will be skipped if no dependencies were added or modified for a given commit. If one or more dependencies are still processing (no results available), then the hook will only fail if dependencies that have completed analysis results do not meet the specified project risk thresholds.

Relevant links for phylum-ci:

• GitHub repo
• Hook config
• Documentation for using the pre-commit hook
• PyPI package
• The PR where the hook was added
  • There are good screenshots here to show how the hook looks/works
  • Similar results can be obtained by using known bad packages
    • pyyaml==5.3.1 is one such package

Links for Phylum:

• Phylum main page
• Phylum's documentation
• Register for the free Community Edition

NOTE: Adding this hook here was purposefully delayed until the Phylum Community Edition was released. This is a free version that allows for up to five (5) projects. Using this hook will allow developers to shift their security further left, ensuring bad open source software dependencies are not committed to their repository.