Implementation of GitHub Bandit action #6
Conversation
A lot to say on this, so likely better to discuss in comments. Initially this Action will run on itself, to allow easier preview /review. Once review is satisified, we can remove the workflow file or point it to run against `post_comment.py` only Signed-off-by: Luke Hinds <[email protected]>
.github/workflows/bandit-scan.yml
Outdated
| bandit-action: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
The latest version for checkout is v4
| - uses: actions/checkout@v2 | |
| - uses: actions/checkout@v4 |
.github/workflows/bandit-scan.yml
Outdated
| with: | ||
| path: "." | ||
| recursive: "true" | ||
|
|
Dockerfile
Outdated
| # Assuming the Dockerfile is located at the root of the repository | ||
| COPY post_comment.py /post_comment.py | ||
|
|
||
| ENTRYPOINT ["/entrypoint.sh"] |
README.md
Outdated
| This is the official GitHub Action for running [Bandit](https://bandit.readthedocs.io/en/latest/), | ||
| developed by the maintainers of Bandit. It is designed to be configurable and | ||
| easy to use. |
There was a problem hiding this comment.
The line breaks here are a little off. Maybe limit to 80 chars.
README.md
Outdated
| bandit-action: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
| - uses: actions/checkout@v2 | |
| - uses: actions/checkout@v4 |
README.md
Outdated
| bandit-action: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v2 |
There was a problem hiding this comment.
| - uses: actions/checkout@v2 | |
| - uses: actions/checkout@v4 |
action.yml
Outdated
| targets: | ||
| description: | | ||
| Source file(s) or directory(s) to be tested | ||
| name: 'Bandit Code Scan' |
There was a problem hiding this comment.
I don't think the YAML file here would require single quotes for strings.
| description: 'Run Bandit code scans on your Python codebase' | ||
| inputs: | ||
| GITHUB_TOKEN: | ||
| description: 'GitHub token' |
There was a problem hiding this comment.
I believe GitHub now refers these to "personal access tokens". And the latest version have fine-grained permissions that can be assigned. Therefore guidance on what minimal set of permissions needed here would be useful.
There was a problem hiding this comment.
Ah right, this is an inbuilt Token that is created for each workflow run and then destroyed at the end. No need for the user to do anything:
Dockerfile
Outdated
| RUN pip install bandit | ||
| # Install additional dependencies if necessary | ||
| RUN apk add --no-cache git bash python3 py3-pip && \ | ||
| pip install pygithub |
There was a problem hiding this comment.
| pip install pygithub | |
| pip install PyGithub |
entrypoint.sh
Outdated
| echo "Constructed command: $cmd" | ||
|
|
||
|
|
||
| # Force the output format as JSON and output file, we json and to report.json |
There was a problem hiding this comment.
| # Force the output format as JSON and output file, we json and to report.json | |
| # Force the output format as JSON and output file, we default to json and to report.json |
Signed-off-by: Luke Hinds <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>
Yes, I think we can change this action to be a composite-type action and output to SARIF so it automatically post results to the Code Scanning tab of a repository. |
|
I wonder if we should have a bandit to SARIF converter too so people can get the output in a comment and as SARIF so people who pr against a repo can see the results too in CI |
A lot to say on this, so likely better to discuss in comments.
Initially this Action will run on itself, to allow easier preview /review. Once review is satisified, we can remove the workflow file or point it to run against
post_comment.pyonly