forked from shundor/python-bandit-scan
-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
126 lines (115 loc) · 3.45 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: 'Bandit Scan'
description: 'Bandit Scan'
branding:
icon: arrow-left
color: purple
inputs:
path:
description: 'File or directory to run bandit on'
required: false
default: '.'
level:
description: 'Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)'
required: false
default: 'UNDEFINED'
confidence:
description: 'Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)'
required: false
default: 'UNDEFINED'
excluded_paths:
description: 'comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)'
required: false
default: 'DEFAULT'
exit_zero:
description: 'exit with 0, even with results found'
required: false
default: 'DEFAULT'
skips:
description: 'comma-separated list of test IDs to skip'
required: false
default: 'DEFAULT'
ini_path:
description: 'path to a .bandit file that supplies command line arguments'
required: false
default: 'DEFAULT'
GITHUB_TOKEN:
description: 'Github token of the repository (automatically created by Github)'
required: true
runs:
using: composite
steps:
- name: Install dependencies
shell: bash
run: |
pip install bandit bandit-sarif-formatter
- name: Run Bandit scan
shell: bash
run: |
UPPERCASE_LEVEL=$(echo $INPUT_LEVEL | tr a-z A-Z)
case $UPPERCASE_LEVEL in
LOW)
LEVEL="-l"
;;
MEDIUM | MID)
LEVEL="-ll"
;;
HIGH)
LEVEL="-lll"
;;
*)
LEVEL=""
;;
esac
UPPERCASE_CONFIDENCE=$(echo $INPUT_CONFIDENCE | tr a-z A-Z)
case $UPPERCASE_CONFIDENCE in
LOW)
CONFIDENCE="-i"
;;
MEDIUM | MID)
CONFIDENCE="-ii"
;;
HIGH)
CONFIDENCE="-iii"
;;
*)
CONFIDENCE=""
;;
esac
if [ "$INPUT_EXCLUDED_PATHS" == "DEFAULT" ]; then
EXCLUDED_PATHS=""
else
EXCLUDED_PATHS="-x $INPUT_EXCLUDED_PATHS"
fi
if [ "$INPUT_EXIT_ZERO" == "DEFAULT" ]; then
EXIT_ZERO=""
else
EXIT_ZERO="--exit-zero"
fi
if [ "$INPUT_SKIPS" == "DEFAULT" ]; then
SKIPS=""
else
SKIPS="-s $INPUT_SKIPS"
fi
if [ "$INPUT_INI_PATH" == "DEFAULT" ]; then
INI_PATH=""
else
INI_PATH="--ini $INPUT_INI_PATH"
fi
bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH
env:
INPUT_PATH: ${{ inputs.path }}
INPUT_LEVEL: ${{ inputs.level }}
INPUT_CONFIDENCE: ${{ inputs.confidence }}
INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }}
INPUT_EXIT_ZERO: ${{ inputs.exit_zero }}
INPUT_SKIPS: ${{ inputs.skips }}
INPUT_INI_PATH: ${{ inputs.ini_path }}
- name: Upload artifact
uses: actions/upload-artifact@main
with:
name: results.sarif
path: results.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif