Difference between revisions of "Security/Projects/Bandit"
Lucas Fisher (talk | contribs) (→TODO) |
|||
| Line 20: | Line 20: | ||
See [http://docs.openstack.org/infra/manual/developers.html#development-workflow Development Workflow] for information on the general contribution/review workflow. | See [http://docs.openstack.org/infra/manual/developers.html#development-workflow Development Workflow] for information on the general contribution/review workflow. | ||
| + | |||
| + | ==Gate Testing with Bandit== | ||
| + | Bandit can help maintain the security of OpenStack projects when it's used as a gate test. Projects such as [http://docs.openstack.org/developer/keystone/ Keystone] have created a gate test which runs Bandit to ensure that common security code mistakes are not introduced when code is modified. | ||
| + | |||
| + | To set up a Bandit gate test for an OpenStack project, follow these steps: | ||
| + | # Add a Bandit config for your project. For example, Keystone currently uses this one in their gate: [https://review.openstack.org/#/c/157930/6/bandit.yaml bandit.yaml] | ||
| + | # Add a test-requirement-bandit.txt file. This file is only needed temporarily because Bandit is not yet listed in global-requirements. Here's an example in Keystone: [https://review.openstack.org/#/c/171772/2/test-requirements-bandit.txt test-requirements-bandit.txt] | ||
| + | # Add a tox environment to run Bandit. Keystone's is here: [https://review.openstack.org/#/c/171772/2/tox.ini tox.ini] in the [testenv:bandit] section | ||
| + | # Modify the "check" section of your project in OpenStack infra to run Bandit as a check. For an example see this change: [https://review.openstack.org/#/c/170569/2/zuul/layout.yaml Keystone Bandit infra change] | ||
| + | |||
| + | Steps 1-3 should be done in one commit for your project, and step 4 will be a separate commit for infra. If you have any questions or comments please contact tmcpeak in #openstack-security on Freenode IRC. | ||
==TODO== | ==TODO== | ||
Revision as of 19:27, 8 April 2015
Overview
Bandit provides a framework for performing security analysis of Python source code, utilizing the ast module from the Python standard library.
The ast module is used to convert source code into a parsed tree of Python syntax nodes. Bandit allows users to define custom tests that are performed against those nodes. At the completion of testing, a report is generated that lists security issues identified within the target source code.
Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities.
Bandit can be obtained by cloning the repository at https://git.openstack.org/stackforge/bandit.git. The README.md file contains documentation regarding installation, usage, and configuration.
Contributing
Bandit makes use of the OpenStack CI infrastructure provided through StackForge:
- Read-only OpenStack git repository: https://git.openstack.org/stackforge/bandit
- Browsable OpenStack git repository: http://git.openstack.org/cgit/stackforge/bandit/
- Launchpad bug reporting and tracking: https://launchpad.net/bandit
- Gerrit endpoint for git repository: ssh://[username]@review.openstack.org:29418/stackforge/bandit.git
- Gerrit reviews: https://review.openstack.org/#/q/project:stackforge/bandit,n,z
An easy way to contribute is to write a plugin/test that will allow Bandit to identify more security issues. Extensions and improvements to the underlying framework are also welcomed, although we'll be attempting to maintain stability in the interface that is presented to plugins.
See Development Workflow for information on the general contribution/review workflow.
Gate Testing with Bandit
Bandit can help maintain the security of OpenStack projects when it's used as a gate test. Projects such as Keystone have created a gate test which runs Bandit to ensure that common security code mistakes are not introduced when code is modified.
To set up a Bandit gate test for an OpenStack project, follow these steps:
- Add a Bandit config for your project. For example, Keystone currently uses this one in their gate: bandit.yaml
- Add a test-requirement-bandit.txt file. This file is only needed temporarily because Bandit is not yet listed in global-requirements. Here's an example in Keystone: test-requirements-bandit.txt
- Add a tox environment to run Bandit. Keystone's is here: tox.ini in the [testenv:bandit] section
- Modify the "check" section of your project in OpenStack infra to run Bandit as a check. For an example see this change: Keystone Bandit infra change
Steps 1-3 should be done in one commit for your project, and step 4 will be a separate commit for infra. If you have any questions or comments please contact tmcpeak in #openstack-security on Freenode IRC.
TODO
TODO is now tracked using blueprints in Launchpad: https://blueprints.launchpad.net/bandit
Team
Bandit is a project from the OpenStack Security Group.
Core project team:
- Jamie Finnigan (chair6)
- Travis McPeak (tmcpeak)
- Nathan Kinder (nkinder)
- Tim Kelsey (tkelsey)
- Lucas Fisher (ljfisher)
