forked from parroty/python-bandit-scan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
138 lines (126 loc) · 3.82 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: 'Python Bandit Scan'
description: 'Bandit Scan'
branding:
icon: arrow-left
color: purple
inputs:
path:
description: 'File or directory to run bandit on'
required: false
default: '.'
level:
description: 'Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)'
required: false
default: 'UNDEFINED'
confidence:
description: 'Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)'
required: false
default: 'UNDEFINED'
excluded_paths:
description: 'comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)'
required: false
default: 'DEFAULT'
exit_zero:
description: 'exit with 0, even with results found'
required: false
default: 'DEFAULT'
skips:
description: 'comma-separated list of test IDs to skip'
required: false
default: 'DEFAULT'
ini_path:
description: 'path to a .bandit file that supplies command line arguments'
required: false
default: 'DEFAULT'
config_path:
description: 'path to a YAML or TOML file that supplies command line arguments'
required: false
default: 'DEFAULT'
GITHUB_TOKEN:
description: 'Github token of the repository (automatically created by Github)'
required: true
runs:
using: composite
steps:
- name: Install dependencies
shell: bash
run: |
pip install bandit bandit-sarif-formatter
- name: Run Bandit scan
shell: bash
run: |
UPPERCASE_LEVEL=$(echo $INPUT_LEVEL | tr a-z A-Z)
case $UPPERCASE_LEVEL in
LOW)
LEVEL="-l"
;;
MEDIUM | MID)
LEVEL="-ll"
;;
HIGH)
LEVEL="-lll"
;;
*)
LEVEL=""
;;
esac
UPPERCASE_CONFIDENCE=$(echo $INPUT_CONFIDENCE | tr a-z A-Z)
case $UPPERCASE_CONFIDENCE in
LOW)
CONFIDENCE="-i"
;;
MEDIUM | MID)
CONFIDENCE="-ii"
;;
HIGH)
CONFIDENCE="-iii"
;;
*)
CONFIDENCE=""
;;
esac
if [ "$INPUT_EXCLUDED_PATHS" == "DEFAULT" ]; then
EXCLUDED_PATHS=""
else
EXCLUDED_PATHS="-x $INPUT_EXCLUDED_PATHS"
fi
if [ "$INPUT_EXIT_ZERO" == "DEFAULT" ]; then
EXIT_ZERO=""
else
EXIT_ZERO="--exit-zero"
fi
if [ "$INPUT_SKIPS" == "DEFAULT" ]; then
SKIPS=""
else
SKIPS="-s $INPUT_SKIPS"
fi
if [ "$INPUT_INI_PATH" == "DEFAULT" ]; then
INI_PATH=""
else
INI_PATH="--ini $INPUT_INI_PATH"
fi
if [ "$INPUT_CONFIG_PATH" == "DEFAULT" ]; then
CONFIG_PATH=""
else
CONFIG_PATH="-c $INPUT_CONFIG_PATH"
fi
bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH $CONFIG_PATH
env:
INPUT_PATH: ${{ inputs.path }}
INPUT_LEVEL: ${{ inputs.level }}
INPUT_CONFIDENCE: ${{ inputs.confidence }}
INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }}
INPUT_EXIT_ZERO: ${{ inputs.exit_zero }}
INPUT_SKIPS: ${{ inputs.skips }}
INPUT_INI_PATH: ${{ inputs.ini_path }}
INPUT_CONFIG_PATH: ${{ inputs.config_path }}
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: results.sarif
path: results.sarif
overwrite: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif