From 4dcac8f02757d7b3c08833f213fab727328fc2ca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 18:31:58 +0000 Subject: [PATCH 1/2] Initial plan From a9a5dbaf692f95486c160bbd79f7e51125927c0a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 18:34:17 +0000 Subject: [PATCH 2/2] Move security target to security/security.mk Co-authored-by: tschm <2046079+tschm@users.noreply.github.com> --- .rhiza/rhiza.mk | 1 + security/security.mk | 17 +++++++++++++++++ tests/tests.mk | 11 +---------- 3 files changed, 19 insertions(+), 10 deletions(-) create mode 100644 security/security.mk diff --git a/.rhiza/rhiza.mk b/.rhiza/rhiza.mk index a03538b3..2f7bc4f3 100644 --- a/.rhiza/rhiza.mk +++ b/.rhiza/rhiza.mk @@ -65,6 +65,7 @@ export UV_VENV_CLEAR := 1 # Include split Makefiles -include tests/tests.mk +-include security/security.mk -include book/book.mk -include book/marimo/marimo.mk -include presentation/presentation.mk diff --git a/security/security.mk b/security/security.mk new file mode 100644 index 00000000..82273777 --- /dev/null +++ b/security/security.mk @@ -0,0 +1,17 @@ +## security.mk - Security scanning targets +# This file is included by the main Makefile. +# It provides targets for security vulnerability scans. + +# Declare phony targets (they don't produce files) +.PHONY: security + +##@ Security + +# The 'security' target performs security vulnerability scans. +# 1. Runs pip-audit to check for known vulnerabilities in dependencies. +# 2. Runs bandit to find common security issues in the source code. +security: install ## run security scans (pip-audit and bandit) + @printf "${BLUE}[INFO] Running pip-audit for dependency vulnerabilities...${RESET}\n" + @${UVX_BIN} pip-audit + @printf "${BLUE}[INFO] Running bandit security scan...${RESET}\n" + @${UVX_BIN} bandit -r ${SOURCE_FOLDER} -ll -q diff --git a/tests/tests.mk b/tests/tests.mk index f3d19086..fae9c243 100644 --- a/tests/tests.mk +++ b/tests/tests.mk @@ -4,7 +4,7 @@ # executing performance benchmarks. # Declare phony targets (they don't produce files) -.PHONY: test benchmark typecheck security mutate docs-coverage +.PHONY: test benchmark typecheck mutate docs-coverage # Default directory for tests TESTS_FOLDER := tests @@ -55,15 +55,6 @@ typecheck: install ## run mypy type checking printf "${YELLOW}[WARN] Source folder ${SOURCE_FOLDER} not found, skipping typecheck${RESET}\n"; \ fi -# The 'security' target performs security vulnerability scans. -# 1. Runs pip-audit to check for known vulnerabilities in dependencies. -# 2. Runs bandit to find common security issues in the source code. -security: install ## run security scans (pip-audit and bandit) - @printf "${BLUE}[INFO] Running pip-audit for dependency vulnerabilities...${RESET}\n" - @${UVX_BIN} pip-audit - @printf "${BLUE}[INFO] Running bandit security scan...${RESET}\n" - @${UVX_BIN} bandit -r ${SOURCE_FOLDER} -ll -q - # The 'mutate' target performs mutation testing using mutmut. # 1. Runs mutmut to apply mutations to the source code and check if tests fail. # 2. Displays the results of the mutation testing.