Security and Static Analysis
Purpose
Provide a repeatable local and CI workflow for backend security scanning and static analysis with low-noise output.
Toolchain
- Static analysis: Ruff (
make lint) - Security scanning: Bandit (
make security)
Scope
In scope: - Backend code scanning and summarized findings. - Local and CI-ready command entry points.
Out of scope: - Dependency vulnerability scanning and container image scanning. - Auto-fixing findings.
Commands
make lintmake security
Findings triage
Prioritize remediation in this order:
1. Hardcoded credentials or secret-like values.
2. Risky execution patterns (exec, unsafe subprocess/shell patterns).
3. Broad exception handling that hides failure modes.
4. Any suppression (# nosec, Ruff ignore) without a documented reason.
Use the narrowest possible suppression when a finding is a confirmed false positive.
Tunables
LINT_MAX_RULES,LINT_MAX_ISSUESSECURITY_MAX_TESTS,SECURITY_MAX_ISSUES
Code locations
- Lint summary tooling:
backend/tools/lint.py - Security summary tooling:
backend/tools/security.py - Shared config:
pyproject.toml - Make command entry points:
Makefile
How to verify
make buildmake lintmake security