LCORE-595: Fix bandit GH actions - use GH actions from PyQCA

[matysek]

Description

LCORE-595: Fix bandit GH actions - use GH actions from PyQCA

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Related Tickets & Documents

• Related Issue #
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Updated security scanning workflow to use the official Bandit action.
  • Adjusted configuration to scan specified targets and report findings more strictly.
  • Removed lenient exit behavior so the pipeline fails on detected issues.
  • Granted necessary permissions to publish security findings and read workflow context.

[coderabbitai]

Walkthrough

Updates the Bandit GitHub Actions workflow: switches action to PyCQA/bandit-action@v1, changes input key from path to targets, removes exit_zero, and adds permissions for security-events: write and actions: read.

Changes

Cohort / File(s)	Summary
Security scanning workflow \.github/workflows/bandit.yaml	- Change action: mdegis/bandit-action@v1.1 → PyCQA/bandit-action@v1 - Update inputs: path: "src" → targets: "src" - Remove exit_zero: true - Add permissions: security-events: write, actions: read

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as GitHub Actions Runner
  participant Bandit as PyCQA/bandit-action@v1
  participant GHAct as GitHub Actions API (read)
  participant Sec as GitHub Code Scanning (security-events:write)

  Dev->>Bandit: Run bandit with targets="src"
  Bandit->>GHAct: Read workflow/context (actions:read)
  Bandit->>Bandit: Analyze source and produce SARIF
  Bandit->>Sec: Upload SARIF (security-events:write)
  Note over Sec,Dev: Results available in Code Scanning alerts

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• LCORE-569: update readme - images moved to quay.io #37 — Also modifies .github/workflows/bandit.yaml to update Bandit Action usage/invocation.

Suggested reviewers

• tisnik

Poem

A hop, a skip, to scan we go,
New Bandit burrows, targets show.
No exit-zero, truth revealed—
SARIF seeds in safety field.
With perms in paw, I flick my ear—
“Security-events: write”—all clear! 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/bandit.yaml (1)

15-19: Bandit likely runs against an empty workspace — missing actions/checkout and no SARIF upload.

Without checking out the repo, the action won’t see your source. Also, you granted security-events: write but don’t upload SARIF to Code Scanning. Add checkout and an upload-sarif step, and configure Bandit to emit SARIF.

Apply this diff:

     steps:
-      - uses: PyCQA/bandit-action@v1
-        with:
-          targets: "src"
+      - uses: actions/checkout@v4
+      - name: Run Bandit and generate SARIF
+        uses: PyCQA/bandit-action@v1
+        with:
+          targets: "src"
+          options: "-f sarif -o bandit.sarif -q"
+      - name: Upload Bandit SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: bandit.sarif

Notes:

• options passes through to Bandit CLI. If you prefer action-native inputs (format/output) and they’re supported by your pinned version, switch to those instead.
• Remove -q if you want console logs in CI.

🧹 Nitpick comments (3)

.github/workflows/bandit.yaml (3)

11-12: Permissions look good only if you upload SARIF; otherwise drop security-events: write.

Principle of least privilege: keep security-events: write only when an upload step is present.

If you decide not to upload SARIF, trim the permission:

     permissions:
-      security-events: write
-      actions: read
+      actions: read
       contents: read
       pull-requests: read

---

16-16: Pin the action to a commit SHA for supply‑chain safety.

Tags like @v1 can be retagged. Pin to a specific commit and update on a schedule.

Apply this diff (replace with the latest for v1):

-      - uses: PyCQA/bandit-action@v1
+      - uses: PyCQA/bandit-action@<commit-sha>
+        # TODO: periodically refresh the pinned SHA

To find the current commit for v1, check the action’s releases/tags and resolve to a commit.

---

16-18: Pipeline will now fail on Bandit findings — confirm this is intentional and set severity threshold if needed.

You removed exit_zero behavior. If you want to fail only on high-severity issues, pass a stricter level to Bandit.

Minimal tweak:

-          options: "-f sarif -o bandit.sarif -q"
+          options: "-lll -f sarif -o bandit.sarif -q"

-lll reports only High severity with High confidence; adjust per your policy.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 2cf406f and 2bacca8.

📒 Files selected for processing (1)

• .github/workflows/bandit.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-and-push-dev
• GitHub Check: Pylinter

🔇 Additional comments (1)

.github/workflows/bandit.yaml (1)

18-18: Bandit scan target path verified

• The src directory exists at the repository root.
• It contains 8 Python files, so targets: "src" is correctly configured.

No further changes are needed.

[eranco74]

/lgtm

[tisnik]

LGTM