Feature/proxy uri #51
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Security Scan | |
| # yamllint disable=truthy | |
| on: | |
| push: | |
| branches: [main, feature/**, hotfix/**, release/**, bugfix/**, chore/**, refactor/**] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '17 2 * * 1' | |
| workflow_dispatch: {} | |
| # yamllint enable=truthy | |
| permissions: | |
| contents: read | |
| security-events: write # For uploading SARIF results | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| cache: 'pip' | |
| cache-dependency-path: requirements-dev.txt | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3-distutils python3-venv build-essential || true | |
| python -m pip install --upgrade pip | |
| pip install -r requirements-dev.txt | |
| pip install pip-audit | |
| - name: Bandit (JSON output) | |
| run: | | |
| python -m bandit -r src \ | |
| --severity-level medium \ | |
| --confidence-level medium \ | |
| -f json -o bandit-results.json || true | |
| - name: Convert Bandit JSON to SARIF | |
| run: | | |
| python - <<'PY' | |
| import json, sys, os | |
| j = 'bandit-results.json' | |
| s = 'bandit-results.sarif' | |
| if not os.path.exists(j) or os.path.getsize(j) == 0: | |
| print('No Bandit JSON results to convert; writing empty SARIF') | |
| open(s, 'w').write(json.dumps({"version": "2.1.0", "runs": []})) | |
| sys.exit(0) | |
| doc = json.load(open(j)) | |
| tool = { | |
| 'driver': { | |
| 'name': 'bandit', | |
| 'informationUri': 'https://bandit.readthedocs.io', | |
| 'rules': [], | |
| } | |
| } | |
| rules_index = {} | |
| results = [] | |
| for issue in doc.get('results', []): | |
| rule_id = issue.get('test_id', 'B000') | |
| if rule_id not in rules_index: | |
| rules_index[rule_id] = len(tool['driver']['rules']) | |
| tool['driver']['rules'].append({ | |
| 'id': rule_id, | |
| 'shortDescription': {'text': issue.get('test_name', '')}, | |
| 'fullDescription': {'text': issue.get('issue_text', '')}, | |
| 'properties': { | |
| 'severity': issue.get('issue_severity'), | |
| 'confidence': issue.get('issue_confidence'), | |
| }, | |
| }) | |
| if issue.get('issue_severity') == 'HIGH': | |
| level = 'error' | |
| elif issue.get('issue_severity') == 'MEDIUM': | |
| level = 'warning' | |
| else: | |
| level = 'note' | |
| res = { | |
| 'ruleId': rule_id, | |
| 'level': level, | |
| 'message': {'text': issue.get('issue_text')}, | |
| 'locations': [{ | |
| 'physicalLocation': { | |
| 'artifactLocation': {'uri': issue.get('filename')}, | |
| 'region': {'startLine': issue.get('line_number')} | |
| } | |
| }] | |
| } | |
| results.append(res) | |
| sarif = { | |
| 'version': '2.1.0', | |
| '$schema': 'https://json.schemastore.org/sarif-2.1.0.json', | |
| 'runs': [{'tool': tool, 'results': results}], | |
| } | |
| open(s, 'w').write(json.dumps(sarif, indent=2)) | |
| print('Wrote SARIF:', s) | |
| PY | |
| - name: Bandit (console) | |
| run: | | |
| python -m bandit -r src \ | |
| --severity-level medium \ | |
| --confidence-level medium || true | |
| - name: Upload Bandit SARIF results | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: bandit-results.sarif | |
| category: bandit | |
| - name: Pip Audit | |
| run: pip-audit -r requirements.txt -r requirements-dev.txt |