ci: Add back static analysis and checking Python deps for CVEs

Accidentally removed during: #3909
freedomofpress · Jan 15, 2019 · 079dc18 · 079dc18
1 parent 2f9267f
commit 079dc18
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -112,6 +112,19 @@ jobs:
             cd journalist_gui
             xvfb-run -a pipenv run python3 test_gui.py
 
+  static-analysis-and-no-known-cves:
+    docker:
+      - image: circleci/python:3.5
+    steps:
+      - checkout
+      - run:
+          name: Check Python dependencies for CVEs
+          command: make safety
+
+      - run:
+          name: Run static security testing on source code
+          command: make bandit
+
   staging-test-with-rebase:
     machine:
       enabled: true
@@ -124,6 +137,10 @@ jobs:
           name: Rebase on-top of github target
           command: ./devops/scripts/rebase-ci.sh
 
+      - run:
+          name: Installation pre-reqs
+          command: pip install -U -r securedrop/requirements/develop-requirements.txt
+
       - run:
           name: Run Staging tests on GCE
           command: make ci-go
@@ -149,6 +166,7 @@ workflows:
       - tests
       - admin-tests
       - updater-gui-tests
+      - static-analysis-and-no-known-cves
       - staging-test-with-rebase:
           requires:
             - lint