Merge pull request #1834 from UlrichB22/bandit_wf

Add bandit scan to github workflow
moinwiki · Feb 2, 2025 · 9cddd74 · 9cddd74
2 parents 1f01d31 + 01e65b0
commit 9cddd74
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -0,0 +1,45 @@
+# Bandit is a tool designed to find common security issues in Python code
+# this is a customized copy from https://github.com/PyCQA/bandit-action
+# original author: '@PyCQA'
+#
+# Target for code check is src/moin, test modules are exclude in config file
+# All alerts are logged in the GitHub UI on the Security tab, Code Scanning (choose your branch)
+
+name: Bandit
+
+on:
+  push:
+    branches:
+      - master
+      - test-github-action
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  bandit_check:
+
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+
+    steps:
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install Bandit
+        shell: bash
+        run: pip install bandit[sarif]
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Bandit
+        shell: bash
+        run: bandit -c pyproject.toml -r src/moin -f sarif -o results.sarif || true
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif