Skip to content

Commit c083ddd

Browse files
abirismynameabirismyname
committed
Initial commit
1 parent 92d7c34 commit c083ddd

File tree

4 files changed

+204
-20
lines changed

4 files changed

+204
-20
lines changed

.gitignore

Whitespace-only changes.

LICENSE

Lines changed: 12 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,15 @@
1-
MIT License
1+
ISC License
22

3-
Copyright (c) 2022 shundor
3+
Copyright (c) 2022, Abir Majumdar <[email protected]> (https://github.com/abirismyname)
44

5-
Permission is hereby granted, free of charge, to any person obtaining a copy
6-
of this software and associated documentation files (the "Software"), to deal
7-
in the Software without restriction, including without limitation the rights
8-
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9-
copies of the Software, and to permit persons to whom the Software is
10-
furnished to do so, subject to the following conditions:
5+
Permission to use, copy, modify, and/or distribute this software for any
6+
purpose with or without fee is hereby granted, provided that the above
7+
copyright notice and this permission notice appear in all copies.
118

12-
The above copyright notice and this permission notice shall be included in all
13-
copies or substantial portions of the Software.
14-
15-
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16-
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17-
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18-
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19-
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20-
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21-
SOFTWARE.
9+
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10+
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11+
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12+
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13+
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14+
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15+
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

README.md

Lines changed: 69 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,69 @@
1-
# python-bandit-sarif
2-
GitHub Action for Bandit SAST
1+
# Bandit Scan
2+
3+
Run Python [Bandit](https://github.com/PyCQA/bandit) scan on your codebase.
4+
5+
## About
6+
7+
Bandit is a tool designed to find common security issues in Python code. This action will run Bandit on your codebase. The results of the scan will be found under the Security tab of your repository.
8+
9+
## Usage
10+
11+
To run a bandit scan include a step like this:
12+
13+
```yaml
14+
uses: shundor/bandit-action@v1
15+
with:
16+
path: "."
17+
level: high
18+
confidence: high
19+
exit_zero: true
20+
```
21+
22+
## Inputs
23+
24+
### `path`
25+
26+
**Optional** The path to run bandit on
27+
28+
**Default** `"."`
29+
30+
### `level`
31+
32+
**Optional** Report only issues of a given severity level or higher.
33+
Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything).
34+
35+
**Default** `"UNDEFINED"`
36+
37+
### `confidence`
38+
39+
**Optional** Report only issues of a given confidence level or higher.
40+
Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything).
41+
42+
**Default** `"UNDEFINED"`
43+
44+
### `excluded_paths`
45+
46+
**Optional** Comma-separated list of paths (glob patterns supported) to exclude from scan
47+
(note that these are in addition to the excluded paths provided in the config file) (default is from the Bandit itself)
48+
49+
**Default** `".svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg"`
50+
51+
### `exit_zero`
52+
53+
**Optional** Exit with 0, even with results found (set `"true"` to use it)
54+
55+
### `skips`
56+
57+
**Optional** Comma-separated list of test IDs to skip
58+
59+
### `ini_path`
60+
61+
**Optional** Path to a .bandit file that supplies command line arguments
62+
63+
## Outputs
64+
65+
The action will create an artifact containing the sarif output.
66+
67+
## Credits
68+
69+
- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/).

action.yml

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,123 @@
1+
name: 'Bandit Scan'
2+
description: 'Bandit Scan'
3+
inputs:
4+
path:
5+
description: 'File or directory to run bandit on'
6+
required: false
7+
default: '.'
8+
level:
9+
description: 'Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)'
10+
required: false
11+
default: 'UNDEFINED'
12+
confidence:
13+
description: 'Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)'
14+
required: false
15+
default: 'UNDEFINED'
16+
excluded_paths:
17+
description: 'comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)'
18+
required: false
19+
default: 'DEFAULT'
20+
exit_zero:
21+
description: 'exit with 0, even with results found'
22+
required: false
23+
default: 'DEFAULT'
24+
skips:
25+
description: 'comma-separated list of test IDs to skip'
26+
required: false
27+
default: 'DEFAULT'
28+
ini_path:
29+
description: 'path to a .bandit file that supplies command line arguments'
30+
required: false
31+
default: 'DEFAULT'
32+
GITHUB_TOKEN:
33+
description: 'Github token of the repository (automatically created by Github)'
34+
required: true
35+
36+
runs:
37+
using: composite
38+
steps:
39+
- name: Install dependencies
40+
shell: bash
41+
run: |
42+
pip install bandit bandit-sarif-formatter
43+
44+
- name: Run Bandit scan
45+
shell: bash
46+
run: |
47+
UPPERCASE_LEVEL=$(echo $INPUT_LEVEL | tr a-z A-Z)
48+
case $UPPERCASE_LEVEL in
49+
LOW)
50+
LEVEL="-l"
51+
;;
52+
MEDIUM | MID)
53+
LEVEL="-ll"
54+
;;
55+
HIGH)
56+
LEVEL="-lll"
57+
;;
58+
*)
59+
LEVEL=""
60+
;;
61+
esac
62+
63+
UPPERCASE_CONFIDENCE=$(echo $INPUT_CONFIDENCE | tr a-z A-Z)
64+
case $UPPERCASE_CONFIDENCE in
65+
LOW)
66+
CONFIDENCE="-i"
67+
;;
68+
MEDIUM | MID)
69+
CONFIDENCE="-ii"
70+
;;
71+
HIGH)
72+
CONFIDENCE="-iii"
73+
;;
74+
*)
75+
CONFIDENCE=""
76+
;;
77+
esac
78+
79+
if [ "$INPUT_EXCLUDED_PATHS" == "DEFAULT" ]; then
80+
EXCLUDED_PATHS=""
81+
else
82+
EXCLUDED_PATHS="-x $INPUT_EXCLUDED_PATHS"
83+
fi
84+
85+
if [ "$INPUT_EXIT_ZERO" == "DEFAULT" ]; then
86+
EXIT_ZERO=""
87+
else
88+
EXIT_ZERO="--exit-zero"
89+
fi
90+
91+
if [ "$INPUT_SKIPS" == "DEFAULT" ]; then
92+
SKIPS=""
93+
else
94+
SKIPS="-s $INPUT_SKIPS"
95+
fi
96+
97+
if [ "$INPUT_INI_PATH" == "DEFAULT" ]; then
98+
INI_PATH=""
99+
else
100+
INI_PATH="--ini $INPUT_INI_PATH"
101+
fi
102+
bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH
103+
env:
104+
INPUT_PATH: ${{ inputs.path }}
105+
INPUT_LEVEL: ${{ inputs.level }}
106+
INPUT_CONFIDENCE: ${{ inputs.confidence }}
107+
INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }}
108+
INPUT_EXIT_ZERO: ${{ inputs.exit_zero }}
109+
INPUT_SKIPS: ${{ inputs.skips }}
110+
INPUT_INI_PATH: ${{ inputs.ini_path }}
111+
112+
- name: Upload artifact
113+
uses: actions/upload-artifact@main
114+
with:
115+
name: results.sarif
116+
path: results.sarif
117+
118+
- name: Upload SARIF file
119+
uses: github/codeql-action/upload-sarif@v2
120+
with:
121+
sarif_file: results.sarif
122+
123+

0 commit comments

Comments
 (0)