appsec-tool-kit 0.1.0__tar.gz → 0.2.0__tar.gz

{appsec_tool_kit-0.1.0 → appsec_tool_kit-0.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: appsec-tool-kit
-Version: 0.1.0
+Version: 0.2.0
 Summary: Interactive CLI to configure security tools for CI/CD pipelines
 Requires-Python: >=3.12
 Requires-Dist: questionary>=2.0

{appsec_tool_kit-0.1.0 → appsec_tool_kit-0.2.0}/appsec_kit/cli.py

@@ -33,11 +33,11 @@ def _print_next_steps(lang: str, layers: list[str]) -> None:
     lines: list[str] = []
 
     if "precommit" in layers:
-        lines += [
-            "pip install pre-commit detect-secrets",
-            "detect-secrets scan > .secrets.baseline",
-            "pre-commit install",
-        ]
+        pip_pkgs = "pre-commit detect-secrets" if "secrets" in layers else "pre-commit"
+        lines.append(f"pip install {pip_pkgs}")
+        if "secrets" in layers:
+            lines.append("detect-secrets scan > .secrets.baseline")
+        lines.append("pre-commit install")
 
     if lang == "node" and "sast" in layers:
         lines += [

appsec_tool_kit-0.2.0/appsec_kit/updater.py

@@ -0,0 +1,74 @@
+import json
+import re
+from pathlib import Path
+from urllib.error import URLError
+from urllib.request import Request, urlopen
+
+from rich.console import Console
+
+console = Console()
+
+_VERSIONS_PATH = Path(__file__).parent / "versions.py"
+
+# (github_repo, keep_v_prefix)
+_TOOLS: dict[str, tuple[str, bool]] = {
+    "BANDIT": ("PyCQA/bandit", False),
+    "DETECT_SECRETS": ("Yelp/detect-secrets", True),
+    "PIP_AUDIT": ("pypa/pip-audit", True),
+    "GITLEAKS": ("gitleaks/gitleaks", True),
+}
+
+
+def _fetch_latest_tag(repo: str) -> str | None:
+    url = f"https://api.github.com/repos/{repo}/releases/latest"
+    req = Request(url, headers={
+        "Accept": "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+    })
+    try:
+        with urlopen(req, timeout=10) as resp:
+            return json.loads(resp.read()).get("tag_name")
+    except (URLError, json.JSONDecodeError, KeyError):
+        return None
+
+
+def bump_versions() -> None:
+    console.print()
+    console.print("[bold]Checking latest versions...[/bold]\n")
+
+    content = _VERSIONS_PATH.read_text()
+    updated = content
+    any_change = False
+
+    for var, (repo, keep_v) in _TOOLS.items():
+        tag = _fetch_latest_tag(repo)
+        if tag is None:
+            console.print(f"  [yellow]⚠[/yellow]  {var}: could not fetch from {repo}")
+            continue
+
+        version = tag if keep_v else tag.lstrip("v")
+
+        match = re.search(rf'^{var} = "([^"]+)"', content, re.MULTILINE)
+        if not match:
+            console.print(f"  [yellow]⚠[/yellow]  {var}: not found in versions.py")
+            continue
+
+        current = match.group(1)
+        if current == version:
+            console.print(f"  [dim]–[/dim]  {var}: [dim]{current} (up to date)[/dim]")
+        else:
+            updated = updated.replace(f'{var} = "{current}"', f'{var} = "{version}"')
+            console.print(f"  [green]↑[/green]  {var}: [dim]{current}[/dim] → [bold green]{version}[/bold green]")
+            any_change = True
+
+    console.print()
+
+    if any_change:
+        _VERSIONS_PATH.write_text(updated)
+        console.print("[green]versions.py updated.[/green] Commit when pronto:")
+        console.print('  [dim]git add appsec_kit/versions.py[/dim]')
+        console.print('  [dim]git commit -m "chore: bump pinned tool versions"[/dim]')
+    else:
+        console.print("[dim]All versions up to date.[/dim]")
+
+    console.print()

{appsec_tool_kit-0.1.0 → appsec_tool_kit-0.2.0}/appsec_kit/versions.py

@@ -1,6 +1,6 @@
-BANDIT = "1.8.3"
+BANDIT = "1.9.4"
 DETECT_SECRETS = "v1.5.0"
-PIP_AUDIT = "v2.7.3"
-GITLEAKS = "v8.22.1"
+PIP_AUDIT = "v2.10.1"
+GITLEAKS = "v8.30.1"
 
 CI_LAYERS = frozenset(("sast", "deps", "secrets"))

{appsec_tool_kit-0.1.0 → appsec_tool_kit-0.2.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "appsec-tool-kit"
-version = "0.1.0"
+version = "0.2.0"
 description = "Interactive CLI to configure security tools for CI/CD pipelines"
 readme = "README.md"
 requires-python = ">=3.12"
@@ -15,6 +15,7 @@ dependencies = [
 
 [project.scripts]
 appsec-kit = "appsec_kit.cli:run"
+appsec-kit-bump = "appsec_kit.updater:bump_versions"
 
 [tool.hatch.build.targets.wheel]
 packages = ["appsec_kit"]

appsec_tool_kit-0.2.0/renovate.json

@@ -0,0 +1,35 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base"],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": ["^appsec_kit/versions\\.py$"],
+      "matchStrings": ["BANDIT = \"(?<currentValue>[^\"]+)\""],
+      "depNameTemplate": "PyCQA/bandit",
+      "datasourceTemplate": "github-releases",
+      "extractVersionTemplate": "^v?(?<version>.+)$"
+    },
+    {
+      "customType": "regex",
+      "fileMatch": ["^appsec_kit/versions\\.py$"],
+      "matchStrings": ["DETECT_SECRETS = \"(?<currentValue>[^\"]+)\""],
+      "depNameTemplate": "Yelp/detect-secrets",
+      "datasourceTemplate": "github-releases"
+    },
+    {
+      "customType": "regex",
+      "fileMatch": ["^appsec_kit/versions\\.py$"],
+      "matchStrings": ["PIP_AUDIT = \"(?<currentValue>[^\"]+)\""],
+      "depNameTemplate": "pypa/pip-audit",
+      "datasourceTemplate": "github-releases"
+    },
+    {
+      "customType": "regex",
+      "fileMatch": ["^appsec_kit/versions\\.py$"],
+      "matchStrings": ["GITLEAKS = \"(?<currentValue>[^\"]+)\""],
+      "depNameTemplate": "gitleaks/gitleaks",
+      "datasourceTemplate": "github-releases"
+    }
+  ]
+}

appsec_tool_kit-0.2.0/tests/test_cli.py

@@ -0,0 +1,61 @@
+from unittest.mock import patch
+
+from rich.panel import Panel
+
+from appsec_kit.cli import _print_next_steps
+
+
+def _capture(lang: str, layers: list[str]) -> str:
+    captured: list[str] = []
+
+    def _collect(*args, **_):
+        for arg in args:
+            if isinstance(arg, Panel):
+                captured.append(str(arg.renderable))
+            else:
+                captured.append(str(arg))
+
+    with patch("appsec_kit.cli.console") as mock_console:
+        mock_console.print.side_effect = _collect
+        _print_next_steps(lang, layers)
+    return "\n".join(captured)
+
+
+class TestNextSteps:
+    def test_precommit_with_secrets_shows_baseline_and_detect_secrets(self):
+        out = _capture("python", ["precommit", "secrets"])
+        assert "detect-secrets scan" in out
+        assert "detect-secrets" in out
+        assert "pre-commit install" in out
+
+    def test_precommit_without_secrets_omits_baseline_and_detect_secrets_pkg(self):
+        out = _capture("python", ["precommit", "sast"])
+        assert "detect-secrets scan" not in out
+        assert "detect-secrets" not in out
+        assert "pre-commit install" in out
+
+    def test_precommit_only_omits_baseline(self):
+        out = _capture("python", ["precommit"])
+        assert "detect-secrets scan" not in out
+        assert "pre-commit install" in out
+
+    def test_no_precommit_shows_nothing(self):
+        out = _capture("python", ["sast", "deps", "secrets"])
+        assert "pre-commit install" not in out
+        assert "detect-secrets scan" not in out
+
+    def test_node_sast_shows_semgrep_token_instructions(self):
+        out = _capture("node", ["sast", "precommit"])
+        assert "SEMGREP_APP_TOKEN" in out
+
+    def test_python_sast_omits_semgrep_token_instructions(self):
+        out = _capture("python", ["sast", "precommit"])
+        assert "SEMGREP_APP_TOKEN" not in out
+
+    def test_ci_layers_show_git_push_instructions(self):
+        out = _capture("python", ["sast"])
+        assert "git push" in out
+
+    def test_no_layers_shows_nothing(self):
+        out = _capture("python", [])
+        assert out == ""