pyTooling/Actions
1
0
Fork 0
mirror of https://github.com/pyTooling/Actions.git synced 2026-02-16 21:16:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Publish Bandit report only if issues are found (avoid empty report).

Browse Source
This commit is contained in:
Patrick Lehmann
2025-09-23 18:06:51 +02:00
parent f684e67bca
commit 4d260bfdf5
2 changed files with 40 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
.github/workflows/CheckCodeQuality.yml vendored
View File

@@ -85,21 +85,56 @@ jobs:
run: python -m pip install --disable-pip-version-check bandit run: python -m pip install --disable-pip-version-check bandit
- name: 👮 Bandit - name: 👮 Bandit
id: bandit
if: inputs.artifact != '' if: inputs.artifact != ''
run: | run: |
mkdir -p report/bandit bandit_directory=report/bandit
bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml bandit_fullpath=report/bandit/report.xml
- name: Debug tee "${GITHUB_OUTPUT}" <<EOF
bandit_directory=${bandit_directory}
bandit_fullpath=${bandit_fullpath}
EOF
mkdir -p ${bandit_directory}
bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o ${bandit_fullpath}
- name: Check if report is empty (⇒ no issues found)
id: check
run: | run: |
cat report/bandit/report.xml set +e
ANSI_LIGHT_RED=$'\x1b[91m'
ANSI_LIGHT_GREEN=$'\x1b[92m'
ANSI_LIGHT_BLUE=$'\x1b[94m'
ANSI_NOCOLOR=$'\x1b[0m'
printf "Checking if bandit found problems ... "
if [[ $(grep -P '<testsuite\sname="bandit"\stests="0"\s/>' ${{ steps.bandit.outputs.bandit_fullpath }}) ]]; then
printf "${ANSI_LIGHT_GREEN}[OK]${ANSI_NOCOLOR}\n"
printf "bandit_passed=true\n" >> "${GITHUB_OUTPUT}"
else
faults=$(grep -Poh '(?<=<testsuite\sname="bandit"\stests=")(\d+)(?=">)' ${{ steps.bandit.outputs.bandit_fullpath }})
printf "${ANSI_LIGHT_RED}[ERROR]${ANSI_NOCOLOR}\n"
printf " ${ANSI_LIGHT_RED}Bandit found %s issues.${ANSI_NOCOLOR}\n" "${faults}"
printf "::error title=%s::%s\n" "🚨 Security Scanning (Bandit)" "Bandi found ${faults} issues."
printf "bandit_passed=false\n" >> "${GITHUB_OUTPUT}"
printf "::group::${ANSI_LIGHT_BLUE}JUnit XML report created by Bandit ...${ANSI_NOCOLOR}\n"
cat ${{ steps.bandit.outputs.bandit_fullpath }}
printf "::endgroup::\n"
fi
- name: 📊 Publish Bandit Results - name: 📊 Publish Bandit Results
uses: dorny/test-reporter@v2 uses: dorny/test-reporter@v2
if: steps.check.outputs.bandit_passed == 'false'
continue-on-error: true continue-on-error: true
with: with:
name: 'Bandit Results' name: 'Bandit Results'
path: 'report/bandit/report.xml' path: ${{ steps.bandit.outputs.bandit_fullpath }}
reporter: java-junit reporter: java-junit
Radon: Radon:

74
.github/workflows/StaticApplicationSecurityTesting.yml vendored
View File

@@ -1,74 +0,0 @@
# ==================================================================================================================== #
# Authors: #
# Patrick Lehmann #
# #
# ==================================================================================================================== #
# Copyright 2025-2025 The pyTooling Authors #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); #
# you may not use this file except in compliance with the License. #
# You may obtain a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
# #
# SPDX-License-Identifier: Apache-2.0 #
# ==================================================================================================================== #
name: Security Testing (SAST)
on:
workflow_call:
inputs:
ubuntu_image_version:
description: 'Ubuntu image version.'
required: false
default: '24.04'
type: string
python_version:
description: 'Python version.'
required: false
default: '3.13'
type: string
# requirements:
# description: 'Python dependencies to be installed through pip.'
# required: false
# default: 'bandit'
# type: string
package_directory:
description: '.'
required: true
type: string
artifact:
description: 'Name of the package artifact.'
required: true
type: string
jobs:
Bandit:
name: 🚨 Security Scanning
runs-on: "ubuntu-${{ inputs.ubuntu_image_version }}"
steps:
- name: ⏬ Checkout repository
uses: actions/checkout@v5
with:
lfs: true
submodules: true
- name: 🐍 Setup Python ${{ inputs.python_version }}
uses: actions/setup-python@v6
with:
python-version: ${{ inputs.python_version }}
- name: ⚙ Install dependencies for packaging and release
run: python -m pip install --disable-pip-version-check bandit
- name: 👮 Bandit
if: inputs.artifact != ''
run: |
bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml