|
| 1 | +# =============================================================== |
| 2 | +# 🐍 Bandit - Python Static-Analysis Workflow |
| 3 | +# =============================================================== |
| 4 | +# |
| 5 | +# This workflow: |
| 6 | +# • Runs **Bandit** (PyCQA) against ONLY the `mcpgateway/` package |
| 7 | +# • Reports findings with **severity ≥ MEDIUM** and **confidence = HIGH** |
| 8 | +# • Uploads results as SARIF so they appear in the Security → Code scanning tab |
| 9 | +# • Executes on every push / PR to `main` + a weekly scheduled run |
| 10 | +# |
| 11 | +# References: |
| 12 | +# • Action: https://github.com/marketplace/actions/bandit-scan (ISC lic.) |
| 13 | +# • CLI: https://pypi.org/project/bandit/ (Apache-2.0) |
| 14 | +# --------------------------------------------------------------- |
| 15 | + |
| 16 | +name: Bandit |
| 17 | + |
| 18 | +on: |
| 19 | + push: |
| 20 | + branches: [ "main" ] |
| 21 | + pull_request: |
| 22 | + branches: [ "main" ] # must be a subset of the push branches |
| 23 | + schedule: |
| 24 | + - cron: '26 11 * * 6' # Saturday @ 11:26 UTC – catch new CVEs |
| 25 | + |
| 26 | +jobs: |
| 27 | + bandit: |
| 28 | + permissions: |
| 29 | + contents: read # required by actions/checkout |
| 30 | + security-events: write # upload SARIF to “Code scanning” |
| 31 | + actions: read # needed only for private repos |
| 32 | + |
| 33 | + runs-on: ubuntu-latest |
| 34 | + |
| 35 | + steps: |
| 36 | + # ----------------------------------------------------------- |
| 37 | + # 0️⃣ Check out the repository |
| 38 | + # ----------------------------------------------------------- |
| 39 | + - name: ⬇️ Checkout code |
| 40 | + uses: actions/checkout@v4 |
| 41 | + |
| 42 | + # ----------------------------------------------------------- |
| 43 | + # 1️⃣ Run Bandit with custom filters |
| 44 | + # ----------------------------------------------------------- |
| 45 | + - name: 🔍 Bandit scan (medium / high-conf) |
| 46 | + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd |
| 47 | + with: |
| 48 | + # Fail **softly** so devs can triage before gating the build |
| 49 | + exit_zero: true |
| 50 | + |
| 51 | + # Built-in GitHub token (no extra secrets needed) |
| 52 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 53 | + |
| 54 | + # ──────────────── Customised CLI flags ──────────────── |
| 55 | + path: mcpgateway # recurse into package |
| 56 | + level: MEDIUM # MEDIUM and HIGH severities |
| 57 | + confidence: HIGH # HIGH-confidence findings only |
| 58 | + # excluded_paths: DEFAULT # inherit Bandit defaults |
| 59 | + # skips: DEFAULT # inherit Bandit defaults |
| 60 | + # ini_path: "" # not using a .bandit config |
0 commit comments