Security Tools
Overview
The pipeline includes automated security tools to aid in code reviews. These tools scan for common vulnerabilities and security issues, providing feedback before code is merged.
Bandit
Bandit is an open source security linter for Python. It scans Python code for common security issues such as hardcoded passwords, SQL injection, and insecure function calls.
Pipeline Configuration
The bandit-security-scan job runs on merge requests with the following settings:
Scans all Python files recursively
Excludes
.envand.cachedirectoriesSkips B101 (assert statements) to reduce noise
Produces
bandit-report.jsonartifactAllowed to fail (does not block merge)
Review Buddy
Review Buddy is a tool built by the SDK team to identify common security issues and Q2-specific bad practices. It also tracks cache usage, extension types, and user input throughout the code to provide additional context during code reviews.
Pipeline Configuration
Two Review Buddy jobs run on merge requests:
- review buddy diff
Scans only the changes in the merge request by comparing against the target branch.
- review buddy full
Scans the entire repository for a comprehensive review.
Both jobs are allowed to fail and do not block merges.
High Severity Rules
Rule |
Description |
Mitigation |
|---|---|---|
Blocked package versions |
Detects known vulnerable package versions in |
Upgrade to a patched version |
|
Detects dynamic code execution which can lead to code injection |
Use safer alternatives; avoid executing dynamic strings |
|
Same as above for Python code |
Refactor to avoid dynamic code execution |
Filesystem interaction |
Detects |
Use SDK-provided file handling methods |
|
Detects Python global variable usage which can cause state issues |
Use proper scoping; pass variables as parameters |
Minimum SDK version |
Ensures SDK version meets the minimum required (currently 2.257.0) |
Upgrade q2-sdk in |
Medium Severity Rules
Rule |
Description |
Mitigation |
|---|---|---|
|
XSS attack vectors when inserting untrusted content |
Use |
Legacy platform interaction |
Detects deprecated APIs ( |
Use current platform APIs |
|
Environment variables may expose secrets and bypass SDK configuration patterns |
Use SDK-provided configuration; avoid logging environment values |
Parent window access |
Accessing |
Use proper cross-frame messaging APIs |
Script integrity |
Checks for script tag integrity attributes |
Add integrity attributes to external scripts |
|
Blocks the event loop in async SDK handlers, causing timeouts |
Use |
SQL files modified |
Flags SQL file changes for additional review scrutiny |
Ensure SQL changes are reviewed by appropriate team members |
|
Disabling SSL verification exposes connections to MITM attacks |
Use proper SSL verification; only disable for specific testing with justification |
Low Severity Rules
Rule |
Description |
Mitigation |
|---|---|---|
|
Debug statements that may expose sensitive data in production |
Remove before merging to production |
|
Causes layout issues on mobile browsers due to dynamic browser chrome |
Use |
Nested iframes |
Flags nested iframe usage for review |
Ensure nested iframes are necessary and properly secured |
Q2 UI components |
Tracks usage of q2-modal, q2-toast, q2-popover, q2-action-sheet, q2-option-list for reviewer awareness |
No mitigation required; informational only |
|
Can cause memory leaks if not properly cleaned up |
Ensure timers are cleared when components unmount |
Stencil hydration |
Tracks Stencil web component hydration patterns |
Ensure proper hydration handling |
Context Tracking
Review Buddy tracks the following throughout the codebase to provide context during reviews:
Cache usage - Where cache is read or written
Class and extension usage - Custom classes and SDK extensions
Form field usage - User input handling
Third-party cache - External cache integrations