Skip to content

Commit 69c264b

Browse files
veitveit
committed
📝 Update security
* Add anchor for GitHub Actions
1 parent 034d37e commit 69c264b

2 files changed

Lines changed: 20 additions & 37 deletions

File tree

docs/productive/envs/uv/cicd.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,8 @@ Line 23
4646
* `Using uv in GitLab CI/CD
4747
<https://docs.astral.sh/uv/guides/integration/gitlab/>`_
4848

49+
.. _github-actions:
50+
4951
GitHub Actions
5052
--------------
5153

docs/productive/security.rst

Lines changed: 18 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -71,10 +71,10 @@ Are the dependencies still maintained?
7171
Risk: High
7272

7373
This indicates possible unpatched security vulnerabilities. Therefore, it should
74-
be checked regularly whether a project has been archived. Conversely, the OSSF
75-
scorecard assumes that with at least one commit a week for 90 days, the project
76-
is very actively maintained. However, a lack of active maintenance is not
77-
necessarily always a problem: smaller utilities in particular usually do not
74+
be checked regularly whether a project has been archived. Conversely, the
75+
OpenSSF scorecard assumes that with at least one commit a week for 90 days, the
76+
project is very actively maintained. However, a lack of active maintenance is
77+
not necessarily always a problem: smaller utilities in particular usually do not
7878
need to be maintained, or only very rarely. So a lack of active maintenance only
7979
tells you that you should investigate the situation more closely.
8080

@@ -126,24 +126,13 @@ with their :ref:`SPDX <standard_format_licensing>` licence identifier followed
126126
by an appropriate file extension as described in the :ref:`REUSE <reuse>`
127127
specification.
128128

129-
Are the best practices of the :abbr:`OpenSSF (Open Source Security Foundation)` being followed?
130-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
129+
OpenSSF Best Practices Badge
130+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
131131

132132
Risk: Low
133133

134-
The `Open Source Security Foundation (OpenSSF) Best Practices Program
135-
<https://github.com/ossf/wg-best-practices-os-developers/>`_ includes a set of
136-
security-oriented best practices for open source software development:
137-
138-
* the vulnerability reporting procedure is published on the project page
139-
* a working build system automatically rebuilds the software from source code
140-
* a general policy that tests are added to an automated test suite when
141-
important new features are added
142-
* various cryptography criteria are met, if applicable
143-
* at least one static code analysis tool applied to each planned major
144-
production release
145-
146-
You can also get a corresponding badge with the `OpenSSF Best Practices Badge Program <https://www.bestpractices.dev/en>`_.
134+
You can also get a corresponding badge with the `OpenSSF Best Practices Badge
135+
Program <https://www.bestpractices.dev/en>`_.
147136

148137
Continuous testing
149138
------------------
@@ -156,6 +145,9 @@ Risk: Low
156145
Before code is merged into pull or merge requests, tests should be performed to
157146
help detect errors early and reduce the number of vulnerabilities in a project.
158147

148+
.. seealso::
149+
* :ref:`coverage-github-actions`
150+
159151
Does the project use fuzzing tools?
160152
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
161153

@@ -172,31 +164,20 @@ find the same vulnerabilities.
172164
* Is `ClusterFuzzLite <https://google.github.io/clusterfuzzlite/>`_ used in the
173165
repository?
174166
* Are custom language-specific fuzzing features present in the repository, for
175-
example with `atheris <https://pypi.org/project/atheris/>`_ or `OneFuzz
176-
<https://github.com/microsoft/onefuzz>`_?
167+
example with `atheris <https://pypi.org/project/atheris/>`_?
177168

178169
Does your project use static code analysis tools?
179170
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
180171

181172
Risk: Medium
182173

183-
`Static code analysis <https://en.wikipedia.org/wiki/Static_program_analysis>`_
184-
tests the source code before the application is executed. This can prevent known
185-
bug classes from being accidentally introduced into the code base.
186-
187-
.. _bandit:
188-
189-
To check for vulnerabilities, you can use `bandit
190-
<https://github.com/PyCQA/bandit>`__, which you can also integrate into your
191-
:file:`.pre-commit-hooks.yaml`:
192-
193-
.. code-block:: yaml
174+
:term:`Static test procedures` test the source code before the application is
175+
run. This can prevent known types of errors from being inadvertently introduced
176+
into the codebase.
194177

195-
repos:
196-
- repo: https://github.com/PyCQA/bandit
197-
rev: '1.7.5'
198-
hooks:
199-
- id: bandit
178+
To check for vulnerabilities, you can use `Bandit
179+
<https://github.com/PyCQA/bandit>`__ with :doc:`qa/ruff`, which you can also
180+
integrate into Jupyter Notebooks, IDEs and the pre-commit framework.
200181

201182
You can also use :doc:`/productive/qa/pysa` for `taint
202183
<https://en.wikipedia.org/wiki/Taint_checking>`_ analyses.

0 commit comments

Comments
 (0)