Publish Bandit report only if issues are found (avoid empty report).

2026-02-15 04:26:55 +08:00 · 2025-09-23 18:06:51 +02:00
parent f684e67bca
commit 4d260bfdf5
2 changed files with 40 additions and 79 deletions
--- a/.github/workflows/CheckCodeQuality.yml
+++ b/.github/workflows/CheckCodeQuality.yml
@@ -85,21 +85,56 @@ jobs:
        run: python -m pip install --disable-pip-version-check bandit

      - name: 👮 Bandit
+        id: bandit
        if: inputs.artifact != ''
        run: |
-          mkdir -p report/bandit
-          bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml
+          bandit_directory=report/bandit
+          bandit_fullpath=report/bandit/report.xml

-      - name: Debug
+          tee "${GITHUB_OUTPUT}" <<EOF
+          bandit_directory=${bandit_directory}
+          bandit_fullpath=${bandit_fullpath}
+          EOF
+
+          mkdir -p ${bandit_directory}
+          bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o ${bandit_fullpath}
+
+      - name: Check if report is empty (⇒ no issues found)
+        id: check
        run: |
-          cat report/bandit/report.xml
+          set +e
+
+          ANSI_LIGHT_RED=$'\x1b[91m'
+          ANSI_LIGHT_GREEN=$'\x1b[92m'
+          ANSI_LIGHT_BLUE=$'\x1b[94m'
+          ANSI_NOCOLOR=$'\x1b[0m'
+
+          printf "Checking if bandit found problems ... "
+          if [[ $(grep -P '<testsuite\sname="bandit"\stests="0"\s/>' ${{ steps.bandit.outputs.bandit_fullpath }}) ]]; then
+            printf "${ANSI_LIGHT_GREEN}[OK]${ANSI_NOCOLOR}\n"
+
+            printf "bandit_passed=true\n" >> "${GITHUB_OUTPUT}"
+          else
+            faults=$(grep -Poh '(?<=<testsuite\sname="bandit"\stests=")(\d+)(?=">)' ${{ steps.bandit.outputs.bandit_fullpath }})
+
+            printf "${ANSI_LIGHT_RED}[ERROR]${ANSI_NOCOLOR}\n"
+            printf "  ${ANSI_LIGHT_RED}Bandit found %s issues.${ANSI_NOCOLOR}\n" "${faults}"
+            printf "::error title=%s::%s\n" "🚨 Security Scanning (Bandit)" "Bandi found ${faults} issues."
+
+            printf "bandit_passed=false\n" >> "${GITHUB_OUTPUT}"
+
+            printf "::group::${ANSI_LIGHT_BLUE}JUnit XML report created by Bandit ...${ANSI_NOCOLOR}\n"
+            cat ${{ steps.bandit.outputs.bandit_fullpath }}
+            printf "::endgroup::\n"
+          fi

      - name: 📊 Publish Bandit Results
        uses: dorny/test-reporter@v2
+        if: steps.check.outputs.bandit_passed == 'false'
        continue-on-error: true
        with:
          name:     'Bandit Results'
-          path:     'report/bandit/report.xml'
+          path:     ${{ steps.bandit.outputs.bandit_fullpath }}
          reporter: java-junit

  Radon: