-
-
Notifications
You must be signed in to change notification settings - Fork 6
/
action.yml
144 lines (137 loc) · 4.18 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: Bandit by PyCQA
description: The official Bandit Action developed by PyCQA
author: '@PyCQA'
branding:
icon: 'shield'
color: 'black'
inputs:
configfile:
description: |
Optional config file to use for selecting plugins and overriding defaults
required: false
default: 'DEFAULT'
profile:
description: |
Profile to use (defaults to executing all tests)
required: false
default: 'DEFAULT'
tests:
description: |
Comma-separated list of test IDs to run
required: false
default: 'DEFAULT'
skips:
description: |
Comma-separated list of test IDs to skip
required: false
default: 'DEFAULT'
severity:
description: |
Report only issues of a given severity level or higher. "all" and "low"
are likely to produce the same results, but it is possible for rules to
be undefined which will not be listed in "low". Options include:
{all, high, medium, low}
required: false
default: 'DEFAULT'
confidence:
description: |
Report only issues of a given confidence level or higher. "all" and "low"
are likely to produce the same results, but it is possible for rules to
be undefined which will not be listed in "low". Options include:
{all, high, medium, low}
required: false
default: 'DEFAULT'
exclude:
description: |
Comma-separated list of paths (glob patterns supported) to exclude from
scan (note that these are in addition to the excluded paths provided in
the config file)
required: false
default: '.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg'
baseline:
description: |
Path of a baseline report to compare against (only JSON-formatted files
are accepted)
required: false
default: 'DEFAULT'
ini:
description: |
Path to a .bandit file that supplies command line arguments
required: false
default: 'DEFAULT'
targets:
description: |
Source file(s) or directory(s) to be tested
required: true
default: '.'
runs:
using: composite
steps:
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.9
- name: Install Bandit
shell: bash
run: pip install bandit[sarif]
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Bandit
shell: bash
run: |
if [ "$INPUT_CONFIGFILE" == "DEFAULT" ]; then
CONFIGFILE=""
else
CONFIGFILE="-c $INPUT_CONFIGFILE"
fi
if [ "$INPUT_PROFILE" == "DEFAULT" ]; then
PROFILE=""
else
PROFILE="-p $INPUT_PROFILE"
fi
if [ "$INPUT_TESTS" == "DEFAULT" ]; then
TESTS=""
else
TESTS="-t $INPUT_TESTS"
fi
if [ "$INPUT_SKIPS" == "DEFAULT" ]; then
SKIPS=""
else
SKIPS="-s $INPUT_SKIPS"
fi
if [ "$INPUT_SEVERITY" == "DEFAULT" ]; then
SEVERITY=""
else
SEVERITY="--severity-level $INPUT_SEVERITY"
fi
if [ "$INPUT_CONFIDENCE" == "DEFAULT" ]; then
CONFIDENCE=""
else
CONFIDENCE="--confidence-level $INPUT_CONFIDENCE"
fi
if [ "$INPUT_BASELINE" == "DEFAULT" ]; then
BASELINE=""
else
BASELINE="-b $INPUT_BASELINE"
fi
if [ "$INPUT_INI" == "DEFAULT" ]; then
INI=""
else
INI="--ini $INPUT_INI"
fi
bandit $CONFIGFILE $PROFILE $TESTS $SKIPS $SEVERITY $CONFIDENCE -x $INPUT_EXCLUDE $BASELINE $INI -r $INPUT_TARGETS -f sarif -o results.sarif || true
env:
INPUT_CONFIGFILE: ${{ inputs.configfile }}
INPUT_PROFILE: ${{ inputs.profile }}
INPUT_TESTS: ${{ inputs.tests }}
INPUT_SKIPS: ${{ inputs.skips }}
INPUT_SEVERITY: ${{ inputs.severity }}
INPUT_CONFIDENCE: ${{ inputs.confidence }}
INPUT_EXCLUDE: ${{ inputs.exclude }}
INPUT_BASELINE: ${{ inputs.baseline }}
INPUT_INI: ${{ inputs.ini }}
INPUT_TARGETS: ${{ inputs.targets }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif