added bandit config

Signed-off-by: Barabanov <[email protected]>

Author: AlexanderBarabanov

.github/workflows/security-scan.yml

@@ -0,0 +1,83 @@
+name: Security Scans
+
+on:
+  schedule:
+    # Run security checks every day at 2 AM UTC
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - release**
+
+permissions: {}
+
+jobs:
+  zizmor-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Needed to upload the results to code-scanning dashboard
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run Zizmor scan
+        uses: open-edge-platform/anomalib/.github/actions/security/zizmor@f60dd31a53407496508aa2db3165c8e8cd121a14
+        with:
+          scan-scope: "all"
+          severity-level: "LOW"
+          confidence-level: "LOW"
+          fail-on-findings: false # reports only
+
+  bandit-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Needed to upload the results to code-scanning dashboard
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run Bandit scan
+        uses: open-edge-platform/anomalib/.github/actions/security/bandit@f60dd31a53407496508aa2db3165c8e8cd121a14
+        with:
+          scan-scope: "all"
+          severity-level: "LOW"
+          confidence-level: "LOW"
+          config_file: "src/python/pyproject.toml"
+          fail-on-findings: false # reports only
+
+  trivy-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # Needed to upload the results to code-scanning dashboard
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.10"
+      - name: Install pip-tools
+        run: python -m pip install pip-tools
+
+      - name: Freeze dependencies
+        run: pip-compile --extra=full -o requirements.txt src/python/pyproject.toml
+
+      - name: Run Trivy scan
+        id: trivy
+        uses: open-edge-platform/anomalib/.github/actions/security/trivy@f60dd31a53407496508aa2db3165c8e8cd121a14
+        with:
+          scan_type: "fs"
+          scan-scope: all
+          severity: LOW
+          scanners: "vuln,secret,config"
+          format: "sarif"
+          timeout: "15m"
+          ignore_unfixed: "false"

.pre-commit-config.yaml

@@ -52,4 +52,4 @@ repos:
     rev: v1.9.0
     hooks:
       - id: zizmor
-        args: ["--min-severity", "low", "--min-confidence", "low"]
+        args: ["--min-severity", "medium", "--min-confidence", "high"]

src/python/pyproject.toml

@@ -248,3 +248,7 @@ notice-rgx = """
 # Copyright \\(C\\) (\\d{4}(-\\d{4})?) Intel Corporation
 # SPDX-License-Identifier: Apache-2\\.0
 """
+[tool.bandit]
+exclude_dirs = ["tests"]
+tests = ["B301","B302","B303","B304","B305","B306","B308","B310","B311","B312","B313","B314","B315","B316","B317","B318","B319","B321","B323","B324","B401","B402","B403","B404","B405","B406","B407","B408","B409","B411","B412","B413"]
+skips = ["B101","B102","B103","B104","B105","B106","B107","B108","B110","B112","B201","B501","B502","B503","B504","B505","B506","B507","B601","B602","B603","B604","B605","B606","B607","B608","B609","B610","B611","B701","B702","B703"]