With python, we can't know for sure how bad the problem is; since most apps run on remote servers with no public source. However, it is safe to say that keeping dependencies up to date is a big issue for any application.
Enter pyup; an automated tool that sends you pull requests to update your
requirements.txt file. It serves 2 purposes; to keep your dependencies pinned to the latest and most secure versions, and to remind you to redeploy the updated version to your servers.
We're excited to contribute a patch to add GitLab support for pyup. Now using pyup and GitLab is as simple as:
$ pyup --provider gitlab --repo learntemail/backend --user-token 97abc123jhk124gjg134
First, clone our branch with GitLab support and install it:
git clone -b gitlab https://github.com/LearntEmail/pyup cd pyup python3 setup.py install
It is best to do this on a server; then it is easy to chuck pyup in a cron job for peace of mind.
Then you need to generate an access token for GitLab. Go to Your Avatar > Settings > Access Tokens:
Then create a new token with the API access box checked:
Now copy your token and you're done:
Now is the hard part; copy and paste your token into this command:
$ pyup --provider gitlab --repo ORG/PROJECT --user-token YOUR_TOKEN
If you use a provider other than gitlab.com, you can go:
$ pyup --provider gitlab --repo ORG/PROJECT --user-token YOUR_TOKEN@https://YOUR_GITLAB.intranet
Then you're done. If this your first time using pyup, you'll get a barrage of changes:
Merge then and you're read to rock some improved security! Make sure to add this command to your cron jobs or systemd timers so that you get automatic notifications in the future.
We've ported pyup to GitLab to help keep our app secure. What are you doing to keep your app secure? Post your thoughts or email them to me (firstname.lastname@example.org). Make sure to subscribe below to follow our journey through securing a pretty normal CRUD app with background jobs.
Comments, thoughts? Mail them to email@example.com. I would love to hear them!