@@ -970,15 +970,6 @@ hadolint:
970970 fi
971971
972972
973- # help: pip-audit - Audit Python dependencies for published CVEs
974- .PHONY : pip-audit
975- pip-audit :
976- @echo " 🔒 pip-audit vulnerability scan..."
977- @test -d " $( VENV_DIR) " || $(MAKE ) venv
978- @/bin/bash -c " source $( VENV_DIR) \
979- python3 -m pip install --quiet --upgrade pip-audit && \
980- pip-audit --progress-spinner ascii --strict || true"
981-
982973# =============================================================================
983974# 📦 DEPENDENCY MANAGEMENT
984975# =============================================================================
@@ -2509,3 +2500,161 @@ test-all: test test-ui-headless
25092500# Add UI tests to your existing test suite if needed
25102501test-full : coverage test-ui-report
25112502 @echo " 📊 Full test suite completed with coverage and UI tests!"
2503+
2504+
2505+ # =============================================================================
2506+ # 🔒 SECURITY TOOLS
2507+ # =============================================================================
2508+ # help: 🔒 SECURITY TOOLS
2509+ # help: security-all - Run all security tools (semgrep, dodgy, gitleaks, etc.)
2510+ # help: security-report - Generate comprehensive security report in docs/security/
2511+ # help: security-fix - Auto-fix security issues where possible (pyupgrade, etc.)
2512+ # help: semgrep - Static analysis for security patterns
2513+ # help: dodgy - Check for suspicious code patterns (passwords, keys)
2514+ # help: dlint - Best practices linter for Python
2515+ # help: pyupgrade - Upgrade Python syntax to newer versions
2516+ # help: interrogate - Check docstring coverage
2517+ # help: prospector - Comprehensive Python code analysis
2518+ # help: pip-audit - Audit Python dependencies for published CVEs
2519+ # help: gitleaks-install - Install gitleaks secret scanner
2520+ # help: gitleaks - Scan git history for secrets
2521+
2522+ # List of security tools to run with security-all
2523+ SECURITY_TOOLS := semgrep dodgy dlint interrogate prospector pip-audit
2524+
2525+ .PHONY : security-all security-report security-fix $(SECURITY_TOOLS ) gitleaks-install gitleaks pyupgrade
2526+
2527+ # # --------------------------------------------------------------------------- ##
2528+ # # Master security target
2529+ # # --------------------------------------------------------------------------- ##
2530+ security-all :
2531+ @echo " 🔒 Running full security tool suite..."
2532+ @set -e; for t in $( SECURITY_TOOLS) ; do \
2533+ echo " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" ; \
2534+ echo " - $$ t" ; \
2535+ $(MAKE ) $$ t || true ; \
2536+ done
2537+ @echo " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
2538+ @echo " 🔍 Running gitleaks (if installed)..."
2539+ @command -v gitleaks > /dev/null 2>&1 && $(MAKE ) gitleaks || echo " ⚠️ gitleaks not installed - run 'make gitleaks-install'"
2540+ @echo " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
2541+ @echo " ✅ Security scan complete!"
2542+
2543+ # # --------------------------------------------------------------------------- ##
2544+ # # Individual security tools
2545+ # # --------------------------------------------------------------------------- ##
2546+ semgrep : # # 🔍 Security patterns & anti-patterns
2547+ @echo " 🔍 semgrep - scanning for security patterns..."
2548+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2549+ @/bin/bash -c " source $( VENV_DIR) \
2550+ python3 -m pip install -q semgrep && \
2551+ $(VENV_DIR ) /bin/semgrep --config=auto mcpgateway tests || true"
2552+
2553+ dodgy : # # 🔐 Suspicious code patterns
2554+ @echo " 🔐 dodgy - scanning for hardcoded secrets..."
2555+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2556+ @/bin/bash -c " source $( VENV_DIR) \
2557+ python3 -m pip install -q dodgy && \
2558+ $(VENV_DIR ) /bin/dodgy mcpgateway tests || true"
2559+
2560+ dlint : # # 📏 Python best practices
2561+ @echo " 📏 dlint - checking Python best practices..."
2562+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2563+ @/bin/bash -c " source $( VENV_DIR) \
2564+ python3 -m pip install -q dlint && \
2565+ $(VENV_DIR ) /bin/python -m flake8 --select=DUO mcpgateway"
2566+
2567+ pyupgrade : # # ⬆️ Upgrade Python syntax
2568+ @echo " ⬆️ pyupgrade - checking for syntax upgrade opportunities..."
2569+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2570+ @/bin/bash -c " source $( VENV_DIR) \
2571+ python3 -m pip install -q pyupgrade && \
2572+ find mcpgateway tests -name ' *.py' $(VENV_DIR ) /bin/pyupgrade --py312-plus --diff {} + || true"
2573+ @echo " 💡 To apply changes, run: find mcpgateway tests -name '*.py' -exec $( VENV_DIR) "
2574+
2575+ interrogate : # # 📝 Docstring coverage
2576+ @echo " 📝 interrogate - checking docstring coverage..."
2577+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2578+ @/bin/bash -c " source $( VENV_DIR) \
2579+ python3 -m pip install -q interrogate && \
2580+ $(VENV_DIR ) /bin/interrogate -vv mcpgateway || true"
2581+
2582+ prospector : # # 🔬 Comprehensive code analysis
2583+ @echo " 🔬 prospector - running comprehensive analysis..."
2584+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2585+ @/bin/bash -c " source $( VENV_DIR) \
2586+ python3 -m pip install -q prospector[with_everything] && \
2587+ $(VENV_DIR ) /bin/prospector mcpgateway || true"
2588+
2589+ pip-audit : # # 🔒 Audit Python dependencies for CVEs
2590+ @echo " 🔒 pip-audit vulnerability scan..."
2591+ @test -d " $( VENV_DIR) " || $(MAKE ) venv
2592+ @/bin/bash -c " source $( VENV_DIR) \
2593+ python3 -m pip install --quiet --upgrade pip-audit && \
2594+ pip-audit --strict || true"
2595+
2596+ # # --------------------------------------------------------------------------- ##
2597+ # # Gitleaks (Go binary - separate installation)
2598+ # # --------------------------------------------------------------------------- ##
2599+ gitleaks-install : # # 📥 Install gitleaks secret scanner
2600+ @echo " 📥 Installing gitleaks..."
2601+ @if [ " $$ (uname)" = " Darwin" ; then \
2602+ brew install gitleaks; \
2603+ elif [ " $$ (uname)" = " Linux" ; then \
2604+ VERSION=$$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep '"tag_name"' | cut -d '"' -f 4 ) ; \
2605+ curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/$$ VERSION/gitleaks_$$ {VERSION#v}_linux_x64.tar.gz | tar -xz -C /tmp; \
2606+ sudo mv /tmp/gitleaks /usr/local/bin/; \
2607+ sudo chmod +x /usr/local/bin/gitleaks; \
2608+ else \
2609+ echo " ❌ Unsupported OS. Download from https://github.com/gitleaks/gitleaks/releases" ; \
2610+ exit 1; \
2611+ fi
2612+ @echo " ✅ gitleaks installed successfully!"
2613+
2614+ gitleaks : # # 🔍 Scan for secrets in git history
2615+ @command -v gitleaks > /dev/null 2>&1 || { \
2616+ echo " ❌ gitleaks not installed." ; \
2617+ echo " 💡 Install with:" ; \
2618+ echo " • macOS: brew install gitleaks" ; \
2619+ echo " • Linux: Run 'make gitleaks-install'" ; \
2620+ echo " • Or download from https://github.com/gitleaks/gitleaks/releases" ; \
2621+ exit 1; \
2622+ }
2623+ @echo " 🔍 Scanning for secrets with gitleaks..."
2624+ @gitleaks detect --source . -v || true
2625+ @echo " 💡 To scan git history: gitleaks detect --source . --log-opts='--all'"
2626+
2627+ # # --------------------------------------------------------------------------- ##
2628+ # # Security reporting and advanced targets
2629+ # # --------------------------------------------------------------------------- ##
2630+ security-report : # # 📊 Generate comprehensive security report
2631+ @echo " 📊 Generating security report..."
2632+ @mkdir -p $(DOCS_DIR ) /docs/security
2633+ @echo " # Security Scan Report - $$ (date)" > $(DOCS_DIR ) /docs/security/report.md
2634+ @echo " " >> $(DOCS_DIR ) /docs/security/report.md
2635+ @echo " ## Code Security Patterns (semgrep)" >> $(DOCS_DIR ) /docs/security/report.md
2636+ @/bin/bash -c " source $( VENV_DIR) \
2637+ python3 -m pip install -q semgrep && \
2638+ $(VENV_DIR ) /bin/semgrep --config=auto mcpgateway tests --quiet || true" >> $( DOCS_DIR)
2639+ @echo " " >> $(DOCS_DIR ) /docs/security/report.md
2640+ @echo " ## Suspicious Code Patterns (dodgy)" >> $(DOCS_DIR ) /docs/security/report.md
2641+ @/bin/bash -c " source $( VENV_DIR) \
2642+ python3 -m pip install -q dodgy && \
2643+ $(VENV_DIR ) /bin/dodgy mcpgateway tests || true" >> $( DOCS_DIR)
2644+ @echo " ✅ Security report saved to $( DOCS_DIR) "
2645+
2646+ security-fix : # # 🔧 Auto-fix security issues where possible
2647+ @echo " 🔧 Attempting to auto-fix security issues..."
2648+ @echo " ➤ Upgrading Python syntax with pyupgrade..."
2649+ @/bin/bash -c " source $( VENV_DIR) \
2650+ python3 -m pip install -q pyupgrade && \
2651+ find mcpgateway tests -name ' *.py' $(VENV_DIR ) /bin/pyupgrade --py312-plus {} +"
2652+ @echo " ➤ Updating dependencies to latest secure versions..."
2653+ @/bin/bash -c " source $( VENV_DIR) \
2654+ python3 -m pip install --upgrade pip setuptools && \
2655+ python3 -m pip list --outdated"
2656+ @echo " ✅ Auto-fixes applied where possible"
2657+ @echo " ⚠️ Manual review still required for:"
2658+ @echo " - Dependency updates (run 'make update')"
2659+ @echo " - Secrets in code (review dodgy/gitleaks output)"
2660+ @echo " - Security patterns (review semgrep output)"
0 commit comments