fix: report all bandit findings in SARIF, fail only on HIGH severity

scottschreckengaust · scottschreckengaust · commit bd9b5eaee220 · 2026-04-08T03:49:49.000Z
- Remove -ll severity filter so LOW/MEDIUM/HIGH all appear in SARIF
- Check SARIF for HIGH severity (level=error) to decide pass/fail
- Move scan targets into .bandit config so new Python directories
  can be added without editing the workflow
diff --git a/.bandit b/.bandit
@@ -1,6 +1,11 @@
 # Bandit configuration
 # https://bandit.readthedocs.io/en/latest/config.html
 
+# Python directories to scan (add new entries here instead of
+# editing the workflow file)
+targets:
+  - scripts/aidlc-evaluator
+
 # Exclude test directories (test code often has intentional patterns
 # that trigger false positives like assert, subprocess in fixtures)
 exclude_dirs:
diff --git a/.github/workflows/security-scanners.yml b/.github/workflows/security-scanners.yml
@@ -223,10 +223,16 @@ jobs:
           pip install -r requirements.txt
           rm requirements.txt
           set +e
-          bandit -c .bandit -r scripts/aidlc-evaluator -ll -f sarif -o bandit-report_sarif.json
+          bandit -c .bandit -f sarif -o bandit-report_sarif.json
           BANDIT_EXIT=$?
           set -e
-          echo "exit_code=$BANDIT_EXIT" >> "$GITHUB_OUTPUT"
+          # Fail only if HIGH severity findings exist (level=error in SARIF)
+          HIGH_COUNT=$(jq '[.runs[0].results[] | select(.level == "error")] | length' bandit-report_sarif.json 2>/dev/null || echo 0)
+          if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "exit_code=1" >> "$GITHUB_OUTPUT"
+          else
+            echo "exit_code=0" >> "$GITHUB_OUTPUT"
+          fi
           exit 0
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: always()
