Security: increase security scans and improve related documentation

.github/workflows/security.yml

@@ -0,0 +1,78 @@
+name: "🛃 Security checks"
+
+# Triggers
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/security.yml"
+      - "qgis_deployment_toolbelt"
+      - "requirements/base.txt"
+      - "requirements/security.txt"
+
+  pull_request:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/security.yml"
+      - "qgis_deployment_toolbelt"
+      - "requirements/base.txt"
+      - "requirements/security.txt"
+
+# Globals
+env:
+  PROJECT_FOLDER: "qgis_deployment_toolbelt"
+  PYTHON_VERSION: "3.11"
+
+  # Jobs definition
+jobs:
+  check-bandit:
+    name: "🦹‍♂️ Bandit"
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Get source code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "pip"
+          cache-dependency-path: "requirements/security.txt"
+
+      - name: Install project requirements
+        run: |
+          python -m pip install -U pip setuptools wheel
+
+      - name: Install security dependencies
+        run: python -m pip install -U -r requirements/security.txt
+
+      - name: Run Bandit check
+        run: bandit --configfile bandit.yaml --format screen -r qgis_deployment_toolbelt
+
+  check-safety:
+    name: "🛡 Safety PyUp"
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Get source code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "pip"
+          cache-dependency-path: "requirements/security.txt"
+
+      - name: Install project requirements
+        run: |
+          python -m pip install -U pip setuptools wheel
+
+      - name: Install security dependencies
+        run: python -m pip install -U -r requirements/security.txt
+
+      - name: Run Safety check
+        run: safety check --output text --short-report -r requirements/base.txt

.gitignore

@@ -139,3 +139,5 @@ docs/misc/dependencies.md
 QGISDeploymentToolbelt_*Ubuntu*
 tests/fixtures/tmp/*
 build_environment_report.txt
+safety_report.txt
+bandit_report.csv

.pre-commit-config.yaml

@@ -51,6 +51,12 @@ repos:
         types: [python]
         args: ["--config=setup.cfg", "--select=E9,F63,F7,F82"]
 
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.5
+    hooks:
+      - id: bandit
+        args: ["--configfile", "bandit.yaml"]
+
 ci:
   autoupdate_schedule: quarterly
   skip: []

CONTRIBUTING.md

@@ -24,6 +24,16 @@ Make sure your code *roughly* follows [PEP-8](https://www.python.org/dev/peps/pe
 - sorted imports: [isort](https://pycqa.github.io/isort/) is used to sort imports
 - static analisis: [flake8](https://flake8.pycqa.org/en/latest/) is used to catch some dizziness and keep the source code healthy.
 
+## Security
+
+As the aim of this project is to be carried out on large-scale IT infrastructures, security is one of the development challenges. It's enforced through automated checks, which are mainly executed in CI. But there are a few best practices to bear in mind:
+
+- give preference to the standard Python library, even it's longer to develop
+- or consider adding an additional third-party dependency (interest, consequences, linked dependencies, etc.)
+- take security alerts into account
+
+Read the [security](SECURITY.md) section in documentation.
+
 ## IDE
 
 Feel free to use the IDE you love. Here come configurations for some popular IDEs to fit those guidelines.

README.md

@@ -5,6 +5,7 @@
 [![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat&labelColor=ef8336)](https://pycqa.github.io/isort/)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![pre-commit.ci status](https://results.pre-commit.ci/badge/github/Guts/qgis-deployment-cli/main.svg)](https://results.pre-commit.ci/latest/github/Guts/qgis-deployment-cli/main)
+[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
 
 [![🎳 Tester](https://github.com/Guts/qgis-deployment-cli/actions/workflows/tests.yml/badge.svg)](https://github.com/Guts/qgis-deployment-cli/actions/workflows/tests.yml)
 [![codecov](https://codecov.io/gh/Guts/qgis-deployment-cli/branch/main/graph/badge.svg?token=ZHGRNMA7TV)](https://codecov.io/gh/Guts/qgis-deployment-cli)

SECURITY.md

@@ -0,0 +1,71 @@
+# Security Policy
+
+Because QDT is meant to be carried out on large-scale IT infrastructures, security is one of the development challenges. It's enforced through automated checks, which are mainly executed in CI. You can also run the most of them manually.
+
+## Automated security checks
+
+- [GitGuardian](https://www.gitguardian.com/): detects secrets in the source code to help developers and security teams secure the modern development process.
+- [Github Code QL](https://codeql.github.com/): GitHub integrated tool to discover vulnerabilities across a codebase
+- [Dependabot Alerts](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security#what-is-dependabot): GitHub integrated tool that keeps dependencies up to date by informing of any security vulnerabilities in project's dependencies, and automatically opens pull requests to upgrade dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.
+- [GitHub secret scanning](https://docs.github.com/code-security/secret-scanning/secret-scanning-patterns#supported-secrets): integrated Github secrets scanning to receive alerts for detected secrets, keys, or other tokens.
+- [Bandit](https://bandit.readthedocs.io): Bandit is a tool designed to find common security issues in Python code. Aslo executed for every commit as git hook.
+- [Safety](https://pypi.org/project/safety/): Safety is a tool (part of PyUp security suite) designed to scan dependencies.
+
+----
+
+## Supported Versions
+
+We release patches for security vulnerabilities. Which versions are eligible for
+receiving such patches depends on the CVSS v3.0 Rating.
+
+For now, no vulnerability has been found.
+
+----
+
+## Reporting a Vulnerability
+
+Please report (suspected) security vulnerabilities to **[qgis+security@oslandia.com](mailto:qgis+security@oslandia.com)**. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
+
+----
+
+## Run security checks manually
+
+Some checks can be executed on the developer side.
+
+### Install dependencies related to security
+
+```sh
+python -m pip install -U -r requirements/security.txt
+```
+
+### Run bandit chekcs
+
+In a terminal:
+
+```sh
+bandit --configfile bandit.yaml --format screen -r qgis_deployment_toolbelt
+```
+
+It's also possible to get results as a CSV:
+
+```sh
+bandit --configfile bandit.yaml --format csv --output bandit_report.csv -r qgis_deployment_toolbelt
+```
+
+Then open the `bandit_report.csv` file.
+
+## Run Safety
+
+In a terminal:
+
+```sh
+safety check --full-report --output screen -r requirements/base.txt
+```
+
+It's also possible to get results in a text format:
+
+```sh
+safety check --full-report --output text -r requirements/base.txt > safety_report.txt
+```
+
+Then open the `safety_report.txt` file.

bandit.yaml

@@ -0,0 +1,10 @@
+exclude_dirs:
+  - tests
+targets:
+  - "qgis_deployment_toolbelt"
+tests:
+  - B201
+  - B301
+skips:
+  - B101
+  - B601

docs/index.md

@@ -83,6 +83,7 @@ guides/howto_windows_sign_executable
 caption: Miscellaneous
 maxdepth: 1
 ---
+misc/security
 misc/compatibility
 misc/credits
 misc/funding

docs/misc/security.md

@@ -0,0 +1,2 @@
+```{include} ../../SECURITY.md
+```

requirements/security.txt

@@ -0,0 +1,2 @@
+bandit>=1.7.5,<1.8
+safety>=2.3.5,<2.4