Keeping Python projects secure on GitLab

16 Mar 2017
Pinning projects to the very latest

A recent study of over 133k websites found that over 49k of included an outdated javascript library with a known vulnerability. While every site is different and not all of them would have been exploitable, that is a frighteningly high percent; leaving the web insecure.

With python, we can't know for sure how bad the problem is; since most apps run on remote servers with no public source. However, it is safe to say that keeping dependencies up to date is a big issue for any application.

Enter pyup; an automated tool that sends you pull requests to update your requirements.​txt file. It serves 2 purposes; to keep your dependencies pinned to the latest and most secure versions, and to remind you to redeploy the updated version to your servers.

We're excited to contribute a patch to add GitLab support for pyup. Now using pyup and GitLab is as simple as:

$ pyup --provider gitlab --repo learntemail/backend --user-token 97abc123jhk124gjg134

GitLab/Pyup How To

First, clone our branch with GitLab support and install it:

git clone -b gitlab https://github.com/LearntEmail/pyup cd pyup python3 setup.py install

It is best to do this on a server; then it is easy to chuck pyup in a cron job for peace of mind.

1/2: Get a token

Then you need to generate an access token for GitLab. Go to Your Avatar > Settings > Access Tokens:

Gitlab access tokens tab picture

Then create a new token with the API access box checked:

Gitlab create access token picture

Now copy your token and you're done:

Gitlab copy access token picture

2/2: Run pyup

Now is the hard part; copy and paste your token into this command:

$ pyup --provider gitlab --repo ORG/PROJECT --user-token YOUR_TOKEN

If you use a provider other than gitlab.com, you can go:

$ pyup --provider gitlab --repo ORG/PROJECT --user-token YOUR_TOKEN@https://YOUR_GITLAB.intranet

Then you're done. If this your first time using pyup, you'll get a barrage of changes:

Gitlab merge requests list

Merge then and you're read to rock some improved security! Make sure to add this command to your cron jobs or systemd timers so that you get automatic notifications in the future.

Conclusion

We've ported pyup to GitLab to help keep our app secure. What are you doing to keep your app secure? Post your thoughts or email them to me ([email protected]). Make sure to subscribe below to follow our journey through securing a pretty normal CRUD app with background jobs.