Python Beta
This article shows you how to analyze your Python applications using the Beta version of our Code Property Graph-based analyzer.
Prerequisites
You must have:
- Set up and authenticated with Qwiet
- Installed Python 3.8 (regardless of which version of Python your app uses)
- Installed the
python3.8-venv
package (Linux only)
preZero only supports applications written using Python 3.8 or earlier.
CI/CD-Based Scans
If you're integrating preZero into a CI/CD system, you must use a Linux build agent.
The build agent should have Python 3.8 installed and support the creation of Python virtual environments.
Considerations
Qwiet's Python analyzer attempts to gather as much information about your project as possible to achieve a high level of accuracy. As such, it expects an environment setup close to the one you have for running your project. This means that the Python interpreter must find all of the project's dependencies installed in one of the directories of its module search path. The most straightforward way to do this is to create a virtual environment and install the project's dependencies in it.
Qwiet supports setups that do not use virtual environments as long as the
Python interpreter can find the dependencies in its
search path.
You can specify additional directories to look for dependencies using the --extra-sys-paths
flag.
Additionally, the Python analyzer goes through your project's files and modules
in a way that's similar to the Python interpreter. This process is crucial for
gathering important information and can be fragile for certain setups. If the
analyzer cannot follow one of the imports in your project, the analysis will proceed,
but the files related to the import may not be included in the resulting analysis.
As such, preZero may not detect security vulnerabilities related to these files. To
receive a complete analysis possible, include the --strict-deps
flag.
Analyzing Your Python Application
Qwiet offers a sample application that you can use to run and test preZero. It also includes a functioning configuration file to demonstrate how you can leverage GitHub Actions to automate code analysis whenever you open a new Pull Request (PR).
We also offer samples for GitLab integration, as well as configurations for Docker, Linux, macOS, and Windows.
Before running code analysis, please run pip install
and make sure this is successful.
To analyze your Python application:
sl analyze --app <name> --beta --python [<path>]
To provide an additional module search path for the analysis:
sl analyze --app <name> --beta --python [<path>] -- --extra-sys-paths [<path>]
To specify that the analysis should only continue if all the project's modules can be followed:
sl analyze --app <name> --beta --python [<path>] -- --strict-deps
To ignore specific paths from the analysis:
sl analyze --app <name> --beta --python [<path>] -- --ignore-paths [<ignore_path_1>] [<ignore_path_2>]
Parameter | Description |
---|---|
--app <name> | The name of the application to be analyzed |
--python | The flag identifying the application as written in Python |
<path> | The path to the Python app to be analyzed |
--beta | Specifies that the new beta analyzer should be used |
--extra-sys-paths [<path>] | Include additional module search paths in the analysis |
--strict-deps | Requires that all of the project's modules can be followed for analysis to proceed |
--ignore-paths | Ignores the specified paths from the analysis |
See the CLI reference for additional sl analyze
options.