evrone/evrone-django-template

Replace safety to alternative vulnerability scanner

Closed this issue · 4 comments

nifadyev commented

Reasoning:

  • Command safety check is deprecated. Alternative command safety scan requires authorization to Safety platform
  • Supports only python while alternatives support many languages allowing to create config for most company projects
  • safety does not officially support latest python versions setup.cfg
  • Has heavy dependencies like pydantic, Click, jinja2, which are usually installed as production dependencies on python based projects
  • Alternative scanners on github, trivy - the most starred
nifadyev commented

Below is tool comparison with attached output (tested on worklogs-toggl):

  • safety - current option, command safety check with config .safey-policy.yml has been run.
  • trivy - command docker run -v /var/run/docker.sock:/var/run/docker.sock -v .:/app aquasec/trivy:0.57.0 repo /app --db-repository public.shturval.tech/trivy-db. Has issues with pulling ghcr.io, that is why alternative registry is necessary
  • dep-scan - command docker run --rm -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports. Most detailed and "deep" scan. Shows issues with both python dependenciesanddocker` images. Also scans dependencies of dependencies. Has Github Action with paywall, but this action could be easily copied and used free
  • pip-audit - command pip-audit. Output mostly the same as for safety

pre-commit hook could be implemented similarly:

- id: trivyconfig-docker
  name: trivyconfig-docker
  entry: aquasec/trivy:0.56.2 config --cache-dir /src/.pre-commit-trivy-cache --exit-code 1
  language: docker_image
  pass_filenames: false

I suggest use vulnerability checks only on CI and optionally pre-commit level. It is harmful to pollute local virtual environment and these checks should not be executed so often in comparison with linters, for example
trivy.log
dep-scan.log
pip-audit.log
safety.log

  • ❤️1
soltanoff commented

@nifadyev, hi!

Thank you for researching. As it seems to me we may choose pip-audit instead of safety due to safety has badly package dependency on it side that often breaks the main dependency of our projects.

  • 👍1
nifadyev commented

Just found out another option - grype. It is used as github action is most of our internal projects.

nifadyev commented

Hey @soltanoff , what is the final decision? Stick with pip-audit only and do not add dep-scan, is it correct?