mirror of
https://github.com/pyTooling/Actions.git
synced 2026-02-12 02:56:56 +08:00
Publish Bandit report only if issues are found (avoid empty report).
This commit is contained in:
Patrick Lehmann
45
.github/workflows/CheckCodeQuality.yml
vendored
45
.github/workflows/CheckCodeQuality.yml
vendored
@@ -85,21 +85,56 @@ jobs:
|
||||
run: python -m pip install --disable-pip-version-check bandit
|
||||
|
||||
- name: 👮 Bandit
|
||||
id: bandit
|
||||
if: inputs.artifact != ''
|
||||
run: |
|
||||
mkdir -p report/bandit
|
||||
bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml
|
||||
bandit_directory=report/bandit
|
||||
bandit_fullpath=report/bandit/report.xml
|
||||
|
||||
- name: Debug
|
||||
tee "${GITHUB_OUTPUT}" <<EOF
|
||||
bandit_directory=${bandit_directory}
|
||||
bandit_fullpath=${bandit_fullpath}
|
||||
EOF
|
||||
|
||||
mkdir -p ${bandit_directory}
|
||||
bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o ${bandit_fullpath}
|
||||
|
||||
- name: Check if report is empty (⇒ no issues found)
|
||||
id: check
|
||||
run: |
|
||||
cat report/bandit/report.xml
|
||||
set +e
|
||||
|
||||
ANSI_LIGHT_RED=$'\x1b[91m'
|
||||
ANSI_LIGHT_GREEN=$'\x1b[92m'
|
||||
ANSI_LIGHT_BLUE=$'\x1b[94m'
|
||||
ANSI_NOCOLOR=$'\x1b[0m'
|
||||
|
||||
printf "Checking if bandit found problems ... "
|
||||
if [[ $(grep -P '<testsuite\sname="bandit"\stests="0"\s/>' ${{ steps.bandit.outputs.bandit_fullpath }}) ]]; then
|
||||
printf "${ANSI_LIGHT_GREEN}[OK]${ANSI_NOCOLOR}\n"
|
||||
|
||||
printf "bandit_passed=true\n" >> "${GITHUB_OUTPUT}"
|
||||
else
|
||||
faults=$(grep -Poh '(?<=<testsuite\sname="bandit"\stests=")(\d+)(?=">)' ${{ steps.bandit.outputs.bandit_fullpath }})
|
||||
|
||||
printf "${ANSI_LIGHT_RED}[ERROR]${ANSI_NOCOLOR}\n"
|
||||
printf " ${ANSI_LIGHT_RED}Bandit found %s issues.${ANSI_NOCOLOR}\n" "${faults}"
|
||||
printf "::error title=%s::%s\n" "🚨 Security Scanning (Bandit)" "Bandi found ${faults} issues."
|
||||
|
||||
printf "bandit_passed=false\n" >> "${GITHUB_OUTPUT}"
|
||||
|
||||
printf "::group::${ANSI_LIGHT_BLUE}JUnit XML report created by Bandit ...${ANSI_NOCOLOR}\n"
|
||||
cat ${{ steps.bandit.outputs.bandit_fullpath }}
|
||||
printf "::endgroup::\n"
|
||||
fi
|
||||
|
||||
- name: 📊 Publish Bandit Results
|
||||
uses: dorny/test-reporter@v2
|
||||
if: steps.check.outputs.bandit_passed == 'false'
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: 'Bandit Results'
|
||||
path: 'report/bandit/report.xml'
|
||||
path: ${{ steps.bandit.outputs.bandit_fullpath }}
|
||||
reporter: java-junit
|
||||
|
||||
Radon:
|
||||
|
||||
@@ -1,74 +0,0 @@
|
||||
# ==================================================================================================================== #
|
||||
# Authors: #
|
||||
# Patrick Lehmann #
|
||||
# #
|
||||
# ==================================================================================================================== #
|
||||
# Copyright 2025-2025 The pyTooling Authors #
|
||||
# #
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); #
|
||||
# you may not use this file except in compliance with the License. #
|
||||
# You may obtain a copy of the License at #
|
||||
# #
|
||||
# http://www.apache.org/licenses/LICENSE-2.0 #
|
||||
# #
|
||||
# Unless required by applicable law or agreed to in writing, software #
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, #
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
|
||||
# See the License for the specific language governing permissions and #
|
||||
# limitations under the License. #
|
||||
# #
|
||||
# SPDX-License-Identifier: Apache-2.0 #
|
||||
# ==================================================================================================================== #
|
||||
name: Security Testing (SAST)
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
ubuntu_image_version:
|
||||
description: 'Ubuntu image version.'
|
||||
required: false
|
||||
default: '24.04'
|
||||
type: string
|
||||
python_version:
|
||||
description: 'Python version.'
|
||||
required: false
|
||||
default: '3.13'
|
||||
type: string
|
||||
# requirements:
|
||||
# description: 'Python dependencies to be installed through pip.'
|
||||
# required: false
|
||||
# default: 'bandit'
|
||||
# type: string
|
||||
package_directory:
|
||||
description: '.'
|
||||
required: true
|
||||
type: string
|
||||
artifact:
|
||||
description: 'Name of the package artifact.'
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
Bandit:
|
||||
name: 🚨 Security Scanning
|
||||
runs-on: "ubuntu-${{ inputs.ubuntu_image_version }}"
|
||||
|
||||
steps:
|
||||
- name: ⏬ Checkout repository
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
lfs: true
|
||||
submodules: true
|
||||
|
||||
- name: 🐍 Setup Python ${{ inputs.python_version }}
|
||||
uses: actions/setup-python@v6
|
||||
with:
|
||||
python-version: ${{ inputs.python_version }}
|
||||
|
||||
- name: ⚙ Install dependencies for packaging and release
|
||||
run: python -m pip install --disable-pip-version-check bandit
|
||||
|
||||
- name: 👮 Bandit
|
||||
if: inputs.artifact != ''
|
||||
run: |
|
||||
bandit -c pyproject.toml -r ${{ inputs.package_directory }} -f xml -o report/bandit/report.xml
|
||||
Reference in New Issue
Block a user