-
Notifications
You must be signed in to change notification settings - Fork 0
/
Makefile
53 lines (41 loc) · 2.4 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
SHELL := /bin/bash
.PHONY: help
help: ## This help.
@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
.DEFAULT_GOAL := help
SEMGREP_ARGS=--use-git-ignore --metrics=off --force-color --disable-version-check --experimental --dataflow-traces --sarif --timeout=0
SEMGREP_RULES=-c p/default -c p/python -c p/php -c p/c -c p/rust -c p/apex -c p/nginx -c p/terraform -c p/csharp -c p/nextjs -c p/golang -c p/nodejs -c p/kotlin -c p/django -c p/docker -c p/kubernetes -c p/lockfiles -c p/supply-chain -c p/headless-browser -c p/expressjs -c p/cpp-audit -c p/mobsfscan -c p/ruby -c p/java -c p/javascript -c p/typescript -c p/bandit -c p/flask -c p/gosec -c p/flawfinder -c p/gitleaks -c p/eslint -c p/phpcs-security-audit -c p/react -c p/brakeman -c p/findsecbugs -c p/secrets -c p/sql-injection -c p/jwt -c p/insecure-transport -c p/command-injection -c p/security-code-scan -c p/xss
clean: ## Cleanup tmp files
@find . -type f -name '*.pyc' -delete 2>/dev/null
@find . -type d -name '__pycache__' -delete 2>/dev/null
@find . -type f -name '*.DS_Store' -delete 2>/dev/null
setup: ## FOR DOCO ONLY - Run these one at a time, do not call this target directly
uv venv --python $(which python3.12)
source .venv/bin/activate
uv pip install -U pip
install: ## poetry install and create poetry.lock
poetry install --no-root
poetry self add poetry-plugin-up
update: ## poetry update poetry.lock
git submodule update
poetry self update
poetry up
test: clean ## pytest with coverage
coverage run -m pytest --nf
coverage report -m --fail-under=100
coverage-badge -f -o coverage.svg
publish: clean update ## upload to pypi.org
poetry publish --build
git commit -a -s -m 'feat: v$(shell poetry version -s)'
git tag --force v$(shell poetry version -s)
git push
git push --tags --force
sarif: clean update ## generate SARIF from Semgrep for this project
osv-scanner --format sarif --call-analysis=all -r . | jq >osv.sarif.json
semgrep $(SEMGREP_ARGS) $(SEMGREP_RULES) | jq >semgrep.sarif.json
lockfile: ## generate pip lockfile for this project
uv pip compile --generate-hashes -o requirements.txt --all-extras --upgrade pyproject.toml
sbom: lockfile ## generate CycloneDX for this project
pip-audit -r requirements.txt -f cyclonedx-json --require-hashes | jq > sbom.cdx.json
rm requirements.txt
cyclonedx convert --input-file sbom.cdx.json --output-file sbom.spdx.json