diff --git a/.github/workflows/CheckCodeQuality.yml b/.github/workflows/CheckCodeQuality.yml
index 13af447..b2ad096 100644
--- a/.github/workflows/CheckCodeQuality.yml
+++ b/.github/workflows/CheckCodeQuality.yml
@@ -85,21 +85,56 @@ jobs:
run: python -m pip install --disable-pip-version-check bandit
- name: 👮 Bandit
+ id: bandit
if: inputs.artifact != ''
run: |
- mkdir -p report/bandit
- bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml
+ bandit_directory=report/bandit
+ bandit_fullpath=report/bandit/report.xml
- - name: Debug
+ tee "${GITHUB_OUTPUT}" <' ${{ steps.bandit.outputs.bandit_fullpath }}) ]]; then
+ printf "${ANSI_LIGHT_GREEN}[OK]${ANSI_NOCOLOR}\n"
+
+ printf "bandit_passed=true\n" >> "${GITHUB_OUTPUT}"
+ else
+ faults=$(grep -Poh '(?<=)' ${{ steps.bandit.outputs.bandit_fullpath }})
+
+ printf "${ANSI_LIGHT_RED}[ERROR]${ANSI_NOCOLOR}\n"
+ printf " ${ANSI_LIGHT_RED}Bandit found %s issues.${ANSI_NOCOLOR}\n" "${faults}"
+ printf "::error title=%s::%s\n" "🚨 Security Scanning (Bandit)" "Bandi found ${faults} issues."
+
+ printf "bandit_passed=false\n" >> "${GITHUB_OUTPUT}"
+
+ printf "::group::${ANSI_LIGHT_BLUE}JUnit XML report created by Bandit ...${ANSI_NOCOLOR}\n"
+ cat ${{ steps.bandit.outputs.bandit_fullpath }}
+ printf "::endgroup::\n"
+ fi
- name: 📊 Publish Bandit Results
uses: dorny/test-reporter@v2
+ if: steps.check.outputs.bandit_passed == 'false'
continue-on-error: true
with:
name: 'Bandit Results'
- path: 'report/bandit/report.xml'
+ path: ${{ steps.bandit.outputs.bandit_fullpath }}
reporter: java-junit
Radon:
diff --git a/.github/workflows/StaticApplicationSecurityTesting.yml b/.github/workflows/StaticApplicationSecurityTesting.yml
deleted file mode 100644
index 4479b53..0000000
--- a/.github/workflows/StaticApplicationSecurityTesting.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-# ==================================================================================================================== #
-# Authors: #
-# Patrick Lehmann #
-# #
-# ==================================================================================================================== #
-# Copyright 2025-2025 The pyTooling Authors #
-# #
-# Licensed under the Apache License, Version 2.0 (the "License"); #
-# you may not use this file except in compliance with the License. #
-# You may obtain a copy of the License at #
-# #
-# http://www.apache.org/licenses/LICENSE-2.0 #
-# #
-# Unless required by applicable law or agreed to in writing, software #
-# distributed under the License is distributed on an "AS IS" BASIS, #
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
-# See the License for the specific language governing permissions and #
-# limitations under the License. #
-# #
-# SPDX-License-Identifier: Apache-2.0 #
-# ==================================================================================================================== #
-name: Security Testing (SAST)
-
-on:
- workflow_call:
- inputs:
- ubuntu_image_version:
- description: 'Ubuntu image version.'
- required: false
- default: '24.04'
- type: string
- python_version:
- description: 'Python version.'
- required: false
- default: '3.13'
- type: string
-# requirements:
-# description: 'Python dependencies to be installed through pip.'
-# required: false
-# default: 'bandit'
-# type: string
- package_directory:
- description: '.'
- required: true
- type: string
- artifact:
- description: 'Name of the package artifact.'
- required: true
- type: string
-
-jobs:
- Bandit:
- name: 🚨 Security Scanning
- runs-on: "ubuntu-${{ inputs.ubuntu_image_version }}"
-
- steps:
- - name: ⏬ Checkout repository
- uses: actions/checkout@v5
- with:
- lfs: true
- submodules: true
-
- - name: 🐍 Setup Python ${{ inputs.python_version }}
- uses: actions/setup-python@v6
- with:
- python-version: ${{ inputs.python_version }}
-
- - name: ⚙ Install dependencies for packaging and release
- run: python -m pip install --disable-pip-version-check bandit
-
- - name: 👮 Bandit
- if: inputs.artifact != ''
- run: |
- bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml