From 84b4d17020804b992d5580fd9c72307a0dfaebad Mon Sep 17 00:00:00 2001 From: MrFired Date: Fri, 26 Apr 2024 00:17:43 +0300 Subject: [PATCH 1/5] Fix breaking changes in upload-artifact action use Also bind it to concrete v4 release --- action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index df686a5..47cdaa3 100644 --- a/action.yml +++ b/action.yml @@ -113,10 +113,11 @@ runs: INPUT_INI_PATH: ${{ inputs.ini_path }} - name: Upload artifact - uses: actions/upload-artifact@main + uses: actions/upload-artifact@v4 with: name: results.sarif path: results.sarif + overwrite: true - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From 7264faad724e93dac096db176be3df330901d904 Mon Sep 17 00:00:00 2001 From: MrFired Date: Fri, 26 Apr 2024 01:10:57 +0300 Subject: [PATCH 2/5] Upgrade upload-serif action to v3 --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 47cdaa3..8bf5262 100644 --- a/action.yml +++ b/action.yml @@ -120,7 +120,7 @@ runs: overwrite: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From 3ab8218ff8cb47b19faaac0c9054cd501caee734 Mon Sep 17 00:00:00 2001 From: MrFired Date: Fri, 26 Apr 2024 02:08:47 +0300 Subject: [PATCH 3/5] Allow config file specification --- action.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 8bf5262..5b1760d 100644 --- a/action.yml +++ b/action.yml @@ -32,6 +32,10 @@ inputs: description: 'path to a .bandit file that supplies command line arguments' required: false default: 'DEFAULT' + config_path: + description: 'path to a YAML or TOML file that supplies command line arguments' + required: false + default: 'DEFAULT' GITHUB_TOKEN: description: 'Github token of the repository (automatically created by Github)' required: true @@ -102,7 +106,13 @@ runs: else INI_PATH="--ini $INPUT_INI_PATH" fi - bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH + + if [ "$INPUT_CONFIG_PATH" == "DEFAULT" ]; then + CONFIG_PATH="" + else + CONFIG_PATH="-c $INPUT_CONFIG_PATH" + fi + bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH $CONFIG_PATH env: INPUT_PATH: ${{ inputs.path }} INPUT_LEVEL: ${{ inputs.level }} @@ -110,7 +120,8 @@ runs: INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }} INPUT_EXIT_ZERO: ${{ inputs.exit_zero }} INPUT_SKIPS: ${{ inputs.skips }} - INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_CONFIG_PATH: ${{ inputs.config_path }} - name: Upload artifact uses: actions/upload-artifact@v4 From 637c5c47ee5038648892a14934bd95be222ff086 Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Wed, 2 Oct 2024 23:31:54 -0700 Subject: [PATCH 4/5] Update README.md Reduce threshold to low in example to improve default. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f991fea..cf2284e 100644 --- a/README.md +++ b/README.md @@ -11,15 +11,15 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: reactive-firewall/python-bandit-scan@v2.1 + uses: reactive-firewall/python-bandit-scan@v2.2 with: # optional arguments # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. path: "." - level: high + level: low confidence: high # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT + # exit_zero: true # optional, default is DEFAULT ``` ## Inputs From c56ff8d84b6e111989d803bbd884a7969363332c Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Tue, 12 Nov 2024 23:37:58 -0800 Subject: [PATCH 5/5] re:re:re updated the usage example in the README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cf2284e..d014525 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: reactive-firewall/python-bandit-scan@v2.2 + uses: reactive-firewall/python-bandit-scan@v2.3 with: # optional arguments # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. @@ -71,5 +71,5 @@ The action will create an artifact containing the sarif output. - :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). - :bow: This action is _also_ based on [python-bandit-scan](https://github.com/shundor/python-bandit-scan) by [shundor](https://github.com/shundor). -- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) ... πŸŽ‰ but automated by @dependabot +- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) and ["MrFired"](https://github.com/MrFired) ... πŸŽ‰ but automated by [@dependabot[bot]](https://github.com/apps/dependabot)