A curated Makefile for a Python repository, with commands for using several code quality and security tools like Pylint, Flake, Bandit, Trivy ... Assumes everything is installed, a full demo repo is pending (it is a promise)

Makefile

# https://misc.flogisoft.com/bash/tip_colors_and_formatting
RED="\\e[91m"
GREEN="\\e[32m"
BLUE="\\e[94m"
YELLOW="\\e[33m"
REGULAR="\\e[39m"

REPORTS=".coverage-reports"
SRC="app"
VERSION=$(shell cat ${SRC}/__init__.py | head -n 1 | cut -d" " -f 3 | tr -d "'")
# Change the version command to adapt it to your needs

help: ## Prompts help for every command
	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | \
    awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

warn:
	@echo "${BLUE}This is a warning to use in other commands.${REGULAR}"

clean-py:  ## Remove Python artifacts like .pyc and pycache
	find . -name '*.pyc' -exec rm -f {} +
	find . -name '*.pyo' -exec rm -f {} +
	find . -name '*~' -exec rm -f {} +
	find . -name '__pycache__' -exec rm -fr {} +

build:  ## Build docker image with credentials from .env
	@docker build --build-arg $(shell cat .env | grep PYPI) -t test-image:active ./

show-version:  ## Shows the explicit version of the component
	@echo ${VERSION}

bump-version:
	bumpversion patch --allow-dirty

d diff:  ## Show diff of the first unstaged file
	git diff --name-only | head -n 1 | xargs git diff

a add:  ## Add the first unstaged file, run it after make diff
	@git diff --name-only | head -n 1 | xargs git add -v

black:  ## Launch black against all added files
	@git diff --cached --name-only -- '***.py' | xargs -L 1 black -l 100

linting: ## Check linting with Pylint -- generates report
	pylint --rcfile=setup.cfg ${SRC}/ | tee ${REPORTS}/pylint.txt

flake:  ## Check style and linting with Flake8 - generates report
	@flake8 --tee --output-file=${REPORTS}/flake8.txt\
	&& echo "${GREEN}Passed Flake8 style review.${REGULAR}" \
	|| (echo "${RED}Flake8 style review failed.${REGULAR}" ; exit 1)

check-upgradable:  ## Prompt a list of upgradable Python packages
	@echo "${YELLOW}This task may take up to a minute.${REGULAR}"
	pip-check -H -l | tee ${REPORTS}/upgradable.txt

graph:  ## Show the dependency inverted graph with ARG highlighted, usage: make graph ARG="requests"
	pipenv graph --reverse | grep --color=always -e^ -e ${ARG}

swagger:  ## Launch a Swagger server with API definition in local port 8081
	docker run --rm -d --name swagger_local -p 8081:8080 -e SWAGGER_JSON=/mnt/api_definition.yaml -v $
(shell pwd):/mnt swaggerapi/swagger-ui
	xdg-open http://localhost:8081

deploy-swarm:
	docker stack deploy -c docker-compose.yml platform

dkc:  ## Quickly deploy Docker containers
	docker-compose up -d

test:  ## Run pytest with PYTEST conf
	pytest -p no:warnings

up:  ## Raise all auxiliary container
	docker-compose pull
	docker-compose up -d database broker

launch:	## Launch application with Gunicorn in port 8000
	gunicorn -w 4 application:application --bind 0.0.0.0:8000 --timeout 1000

sonar:  ## Sonar Scanner CLI -- reports xunit, coverage, pylint and bandit
	@sed -i -e 's|<source>.*</source>|<source>app</source>|g' ${REPORTS}/coverage.xml
	docker run -v "${PWD}:/usr/src" --user="$(shell id -u):$(shell id -g)" --env-file=.env sonarsource
/sonar-scanner-cli

bandit:  ## Check security issues with Bandit
	@bandit --format json --output ${REPORTS}/bandit.json --recursive ${SRC}

safety:  ## Check Python packages vulnerabilities against PyUp DB
	@safety check --full-report | tee ${REPORTS}/safety.txt

trivy:  ## Check docker image vulnerabilities with Trivy
	@docker run -t -e TRIVY_EXIT_CODE=1 -e TRIVY_SEVERITY=HIGH,CRITICAL \
	-v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy p2_sut_1

dead-code:  ## Look for dead code with Vulture
	@vulture ${SRC}/ | tee ${REPORTS}/vulture.txt


.PHONY: help clean-py build linting black flake check-upgradable graph dkc test up launch sonar bandit saf
ety \
        trivy dead-code