Skip to content

feat: Add Python SAST workflow (Issue #5) #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 22, 2025
Merged

feat: Add Python SAST workflow (Issue #5) #23

merged 2 commits into from
Oct 22, 2025

Conversation

@tduhamel42
Copy link
Collaborator

@tduhamel42 tduhamel42 commented Oct 22, 2025

Summary

Implements Issue #5 - Python SAST workflow that combines three static analysis tools:

  • Dependency scanning (pip-audit) for CVE detection
  • Security linting (Bandit) for vulnerability patterns
  • Type checking (Mypy) for type safety issues

Changes

New Modules

  • DependencyScanner: Scans Python dependencies for known CVEs using pip-audit
  • BanditAnalyzer: Analyzes Python code for security issues using Bandit
  • MypyAnalyzer: Checks Python code for type safety issues using Mypy

New Workflow

  • python_sast: Temporal workflow that orchestrates all three SAST tools
    • Runs tools in parallel for fast feedback (3-5 min vs hours for fuzzing)
    • Generates unified SARIF report with findings from all tools
    • Supports configurable severity/confidence thresholds

Updates

  • Added SAST dependencies to Python worker (bandit, pip-audit, mypy)
  • Updated module __init__.py files to export new analyzers
  • Added type_errors.py test file to vulnerable_app for Mypy validation

Testing

Workflow tested successfully on vulnerable_app:

  • ✅ Bandit: Detected 9 security issues (command injection, unsafe functions)
  • ✅ Mypy: Detected 5 type errors
  • ✅ DependencyScanner: Ran successfully (no CVEs in test dependencies)
  • ✅ SARIF export: Generated valid SARIF with 14 total findings

Test Plan

  • Python worker builds successfully with new dependencies
  • Workflow appears in ff workflows list
  • All three SAST modules execute correctly
  • SARIF report generated with findings from all tools
  • Findings viewable via CLI (ff findings get)

Closes #5

@tduhamel42
feat: Add Python SAST workflow with three security analysis tools
9468a8b 
Implements Issue #5 - Python SAST workflow that combines:
- Dependency scanning (pip-audit) for CVE detection
- Security linting (Bandit) for vulnerability patterns
- Type checking (Mypy) for type safety issues

## Changes

**New Modules:**
- `DependencyScanner`: Scans Python dependencies for known CVEs using pip-audit
- `BanditAnalyzer`: Analyzes Python code for security issues using Bandit
- `MypyAnalyzer`: Checks Python code for type safety issues using Mypy

**New Workflow:**
- `python_sast`: Temporal workflow that orchestrates all three SAST tools
  - Runs tools in parallel for fast feedback (3-5 min vs hours for fuzzing)
  - Generates unified SARIF report with findings from all tools
  - Supports configurable severity/confidence thresholds

**Updates:**
- Added SAST dependencies to Python worker (bandit, pip-audit, mypy)
- Updated module __init__.py files to export new analyzers
- Added type_errors.py test file to vulnerable_app for Mypy validation

## Testing

Workflow tested successfully on vulnerable_app:
- ✅ Bandit: Detected 9 security issues (command injection, unsafe functions)
- ✅ Mypy: Detected 5 type errors
- ✅ DependencyScanner: Ran successfully (no CVEs in test dependencies)
- ✅ SARIF export: Generated valid SARIF with 14 total findings
@tduhamel42
fix: Remove unused imports to pass linter
66e797a
@tduhamel42 tduhamel42 merged commit 1c3c7a8 into dev Oct 22, 2025
14 checks passed
@tduhamel42 tduhamel42 deleted the feature/python-sast-workflow branch October 22, 2025 13:55
@tduhamel42 tduhamel42 mentioned this pull request Oct 30, 2025
Closed
tduhamel42 added a commit that referenced this pull request Nov 4, 2025
@tduhamel42
Merge pull request #23 from FuzzingLabs/feature/python-sast-workflow
c9d5139 
feat: Add Python SAST workflow (Issue #5)
@tduhamel42 tduhamel42 mentioned this pull request Nov 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tduhamel42