add security tooling and development workflow

- ruff for linting and formatting - bandit for security scanning - mypy for type checking - pip-audit for dependency vulnerabilities - Makefile with lint/format/security/test targets
2025-12-20 17:20:21 +01:00
parent 4e38517faf
commit adbb5be5c0
4 changed files with 484 additions and 0 deletions
--- a/85
+++ b/85
@@ -0,0 +1,85 @@
+# FlaskPaste Development Makefile
+# Usage: make <target>
+
+.PHONY: help install dev lint format security test check clean
+
+PYTHON := python3
+VENV := ./venv
+PIP := $(VENV)/bin/pip
+PYTEST := $(VENV)/bin/pytest
+RUFF := $(VENV)/bin/ruff
+MYPY := $(VENV)/bin/mypy
+BANDIT := $(VENV)/bin/bandit
+PIP_AUDIT := $(VENV)/bin/pip-audit
+
+# Default target
+help:
+	@echo "FlaskPaste Development Commands"
+	@echo "────────────────────────────────"
+	@echo "  make install   Install production dependencies"
+	@echo "  make dev       Install dev dependencies"
+	@echo "  make lint      Run ruff linter"
+	@echo "  make format    Format code with ruff"
+	@echo "  make types     Run mypy type checker"
+	@echo "  make security  Run bandit + pip-audit"
+	@echo "  make test      Run pytest"
+	@echo "  make check     Run all checks (lint + security + test)"
+	@echo "  make clean     Remove cache files"
+
+# Setup
+install:
+	$(PIP) install -r requirements.txt
+
+dev:
+	$(PIP) install -r requirements.txt -r requirements-dev.txt
+
+# Code quality
+lint:
+	$(RUFF) check app/ tests/ fpaste
+
+format:
+	$(RUFF) format app/ tests/ fpaste
+	$(RUFF) check --fix app/ tests/ fpaste
+
+types:
+	$(MYPY) app/ --ignore-missing-imports
+
+# Security
+security: security-code security-deps
+
+security-code:
+	@echo "── Bandit (code security) ──"
+	$(BANDIT) -r app/ -ll -q
+
+security-deps:
+	@echo "── pip-audit (dependency vulnerabilities) ──"
+	$(PIP_AUDIT) --strict --progress-spinner=off || true
+
+# Testing
+test:
+	$(PYTEST) tests/ -v --tb=short
+
+test-cov:
+	$(PYTEST) tests/ -v --tb=short --cov=app --cov-report=term-missing
+
+# Combined checks
+check: lint types security test
+	@echo ""
+	@echo "✓ All checks passed"
+
+# CI target (non-interactive, strict)
+ci:
+	$(RUFF) check app/ tests/ fpaste
+	$(MYPY) app/ --ignore-missing-imports
+	$(BANDIT) -r app/ -ll -q
+	$(PIP_AUDIT) --strict --progress-spinner=off
+	$(PYTEST) tests/ -v --tb=short
+
+# Cleanup
+clean:
+	find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true
+	find . -type d -name .pytest_cache -exec rm -rf {} + 2>/dev/null || true
+	find . -type d -name .mypy_cache -exec rm -rf {} + 2>/dev/null || true
+	find . -type d -name .ruff_cache -exec rm -rf {} + 2>/dev/null || true
+	find . -type f -name "*.pyc" -delete 2>/dev/null || true
+	rm -rf .coverage htmlcov/ 2>/dev/null || true