diff --git a/README.md b/README.md index f991fea..d014525 100644 --- a/README.md +++ b/README.md @@ -11,15 +11,15 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: reactive-firewall/python-bandit-scan@v2.1 + uses: reactive-firewall/python-bandit-scan@v2.3 with: # optional arguments # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. path: "." - level: high + level: low confidence: high # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT + # exit_zero: true # optional, default is DEFAULT ``` ## Inputs @@ -71,5 +71,5 @@ The action will create an artifact containing the sarif output. - :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). - :bow: This action is _also_ based on [python-bandit-scan](https://github.com/shundor/python-bandit-scan) by [shundor](https://github.com/shundor). -- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) ... πŸŽ‰ but automated by @dependabot +- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) and ["MrFired"](https://github.com/MrFired) ... πŸŽ‰ but automated by [@dependabot[bot]](https://github.com/apps/dependabot) diff --git a/action.yml b/action.yml index 0358d24..5a76acb 100644 --- a/action.yml +++ b/action.yml @@ -32,6 +32,10 @@ inputs: description: 'path to a .bandit file that supplies command line arguments' required: false default: 'DEFAULT' + config_path: + description: 'path to a YAML or TOML file that supplies command line arguments' + required: false + default: 'DEFAULT' GITHUB_TOKEN: description: 'Github token of the repository (automatically created by Github)' required: true @@ -102,7 +106,13 @@ runs: else INI_PATH="--ini $INPUT_INI_PATH" fi - bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH + + if [ "$INPUT_CONFIG_PATH" == "DEFAULT" ]; then + CONFIG_PATH="" + else + CONFIG_PATH="-c $INPUT_CONFIG_PATH" + fi + bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH $CONFIG_PATH env: INPUT_PATH: ${{ inputs.path }} INPUT_LEVEL: ${{ inputs.level }} @@ -110,13 +120,15 @@ runs: INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }} INPUT_EXIT_ZERO: ${{ inputs.exit_zero }} INPUT_SKIPS: ${{ inputs.skips }} - INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_CONFIG_PATH: ${{ inputs.config_path }} - name: Upload artifact uses: actions/upload-artifact@v4 with: name: results.sarif path: results.sarif + overwrite: true - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3