Security/applying security recommendations #25
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Bandit | |
| on: | |
| workflow_dispatch: { } | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| analyze: | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 | |
| with: | |
| egress-policy: audit | |
| - name: Set up Python 3.9 | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 | |
| with: | |
| python-version: 3.9 | |
| - name: Install Dependencies | |
| shell: bash | |
| run: pip install -r requirements.txt | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| persist-credentials: false | |
| - name: Run Bandit - Generate SARIF report and check for HIGH severity issues | |
| id: high_severity_check | |
| shell: bash | |
| run: | | |
| # Run Bandit to generate SARIF report | |
| bandit . -r -c ipas_default.config -f sarif -o results.sarif || true | |
| # Check the SARIF report for high severity issues | |
| if grep -q '"SEVERITY.HIGH": [1-9]' results.sarif; then | |
| echo "HIGH severity issues found! Workflow will fail after reporting." | |
| echo "high_severity_issues=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "No HIGH severity issues found!" | |
| fi | |
| - name: Upload SARIF results | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: bandit-results | |
| path: results.sarif | |
| - name: Upload SARIF to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 | |
| with: | |
| sarif_file: results.sarif | |
| category: bandit | |
| - name: Fail workflow if HIGH severity issues were found | |
| if: steps.high_severity_check.outputs.high_severity_issues == 'true' | |
| shell: bash | |
| run: | | |
| echo "ERROR: HIGH severity security issues were found by Bandit." | |
| echo "Review the security report and fix all HIGH severity issues before merging." | |
| exit 1 |