Hi, I'm Sam Parkinson

Keeping Python projects secure on GitLab

Pinning projects to the very latest

By Sam Parkinson, 16 March 2017; view other posts

A recent study of over 133k websites found that over 49k of included an outdated javascript library with a known vulnerability. While every site is different and not all of them would have been exploitable, that is a frighteningly high percent; leaving the web insecure.

With python, we can't know for sure how bad the problem is; since most apps run on remote servers with no public source. However, it is safe to say that keeping dependencies up to date is a big issue for any application.

Enter pyup; an automated tool that sends you pull requests to update your requirements.txt file. It serves 2 purposes; to keep your dependencies pinned to the latest and most secure versions, and to remind you to redeploy the updated version to your servers.

We're excited to contribute a patch to add GitLab support for pyup. Now using pyup and GitLab is as simple as:

$ pyup --provider gitlab --repo learntemail/backend --user-token 97abc123jhk124gjg134

GitLab/Pyup How To

First, clone our branch with GitLab support and install it:

git clone -b gitlab https://github.com/LearntEmail/pyup
cd pyup
python3 setup.py install

It is best to do this on a server; then it is easy to chuck pyup in a cron job for peace of mind.

1/2: Get a token

Then you need to generate an access token for GitLab. Go to Your Avatar > Settings > Access Tokens:

Gitlab access tokens tab picture

Then create a new token with the API access box checked:

Gitlab create access token picture

Now copy your token and you're done:

Gitlab copy access token picture

2/2: Run pyup

Now is the hard part; copy and paste your token into this command:

$ pyup --provider gitlab --repo ORG/PROJECT --user-token YOUR_TOKEN

If you use a provider other than gitlab.com, you can go:

$ pyup --provider gitlab --repo ORG/PROJECT --user-token YOUR_TOKEN@https://YOUR_GITLAB.intranet

Then you're done. If this your first time using pyup, you'll get a barrage of changes:

Gitlab merge requests list

Merge then and you're read to rock some improved security! Make sure to add this command to your cron jobs or systemd timers so that you get automatic notifications in the future.

Conclusion

We've ported pyup to GitLab to help keep our app secure. What are you doing to keep your app secure? Post your thoughts or email them to me (sam@sam.today). Make sure to subscribe below to follow our journey through securing a pretty normal CRUD app with background jobs.


Comments, thoughts? Mail them to sam@sam.today. I would love to hear them!

Related posts

View all posts
Freeing Disk Space with the PackageKit cache
Automatic updates gone wrong
Read post
Testing GraphQL with Graphene Django
The missing guide
Read post
Derivations 102 - Learning Nix pt 4
Taking advantage of the fact Nix is a programming language
Read post
Creating a super simple derivation - Learning Nix pt 3
Wrapping some shell scripts
Read post
So Variables are a Thing - Learning Nix pt 2
Taking advantage of the fact Nix is a programming language
Read post
NSDC 2016 Topics
Digitizing the motions from National Schools Debating Championships 2016
Read post