From 84b4d17020804b992d5580fd9c72307a0dfaebad Mon Sep 17 00:00:00 2001 From: MrFired Date: Fri, 26 Apr 2024 00:17:43 +0300 Subject: [PATCH 01/13] Fix breaking changes in upload-artifact action use Also bind it to concrete v4 release --- action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index df686a5..47cdaa3 100644 --- a/action.yml +++ b/action.yml @@ -113,10 +113,11 @@ runs: INPUT_INI_PATH: ${{ inputs.ini_path }} - name: Upload artifact - uses: actions/upload-artifact@main + uses: actions/upload-artifact@v4 with: name: results.sarif path: results.sarif + overwrite: true - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 From 7264faad724e93dac096db176be3df330901d904 Mon Sep 17 00:00:00 2001 From: MrFired Date: Fri, 26 Apr 2024 01:10:57 +0300 Subject: [PATCH 02/13] Upgrade upload-serif action to v3 --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 47cdaa3..8bf5262 100644 --- a/action.yml +++ b/action.yml @@ -120,7 +120,7 @@ runs: overwrite: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From 3ab8218ff8cb47b19faaac0c9054cd501caee734 Mon Sep 17 00:00:00 2001 From: MrFired Date: Fri, 26 Apr 2024 02:08:47 +0300 Subject: [PATCH 03/13] Allow config file specification --- action.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 8bf5262..5b1760d 100644 --- a/action.yml +++ b/action.yml @@ -32,6 +32,10 @@ inputs: description: 'path to a .bandit file that supplies command line arguments' required: false default: 'DEFAULT' + config_path: + description: 'path to a YAML or TOML file that supplies command line arguments' + required: false + default: 'DEFAULT' GITHUB_TOKEN: description: 'Github token of the repository (automatically created by Github)' required: true @@ -102,7 +106,13 @@ runs: else INI_PATH="--ini $INPUT_INI_PATH" fi - bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH + + if [ "$INPUT_CONFIG_PATH" == "DEFAULT" ]; then + CONFIG_PATH="" + else + CONFIG_PATH="-c $INPUT_CONFIG_PATH" + fi + bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH $CONFIG_PATH env: INPUT_PATH: ${{ inputs.path }} INPUT_LEVEL: ${{ inputs.level }} @@ -110,7 +120,8 @@ runs: INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }} INPUT_EXIT_ZERO: ${{ inputs.exit_zero }} INPUT_SKIPS: ${{ inputs.skips }} - INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_CONFIG_PATH: ${{ inputs.config_path }} - name: Upload artifact uses: actions/upload-artifact@v4 From 94a3512d6a462f14caec4e2e4c65068d17f6532c Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Sun, 8 Sep 2024 22:06:27 -0700 Subject: [PATCH 04/13] Create dependabot.yml Development branch. --- .github/dependabot.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..926b470 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" # Location of action.yml + target-branch: "main" + rebase-strategy: "disabled" + # Labels on pull requests for version updates only + labels: + - "GitHub" + - "Testing" + assignees: + - "reactive-firewall" + commit-message: + prefix: "[UPDATE] " + include: "scope" + schedule: + interval: "weekly" + day: "tuesday" From 2d60b3aecf18007967b18d22115179b9fcbb4c6a Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Sun, 8 Sep 2024 22:20:23 -0700 Subject: [PATCH 05/13] Update README.md --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3c2edb9..5f6414c 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: shundor/bandit-action@v1 + uses: reactive-firewall/bandit-action@v2 with: path: "." level: high @@ -66,4 +66,7 @@ The action will create an artifact containing the sarif output. ## Credits -- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). \ No newline at end of file +- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). +- :bow: This action is _also_ based on [python-bandit-scan](https://github.com/shundor/python-bandit-scan) by [shundor](https://github.com/shundor). +- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) ... 🎉 but automated by @dependabot + From 003ff64f0dd7f146f99454bf88766e47bf733e08 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 05:24:33 +0000 Subject: [PATCH 06/13] [UPDATE] (deps): Bump github/codeql-action from 2 to 3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index df686a5..1ad97de 100644 --- a/action.yml +++ b/action.yml @@ -119,7 +119,7 @@ runs: path: results.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From 5490c83374f6a990ef7e9c82cf694e7fde949e7a Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Sun, 8 Sep 2024 22:33:42 -0700 Subject: [PATCH 07/13] Update name in action.yml --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index df686a5..4c60489 100644 --- a/action.yml +++ b/action.yml @@ -1,4 +1,4 @@ -name: 'Bandit Scan' +name: 'Python Bandit Scan' description: 'Bandit Scan' branding: icon: arrow-left @@ -113,7 +113,7 @@ runs: INPUT_INI_PATH: ${{ inputs.ini_path }} - name: Upload artifact - uses: actions/upload-artifact@main + uses: actions/upload-artifact@v4 with: name: results.sarif path: results.sarif From 3868a74113dafb004095baeeb6ecba50ed6c0154 Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Sun, 8 Sep 2024 22:58:01 -0700 Subject: [PATCH 08/13] Update README.md Update README.md with config for fixed version --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5f6414c..f991fea 100644 --- a/README.md +++ b/README.md @@ -11,12 +11,15 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: reactive-firewall/bandit-action@v2 - with: + uses: reactive-firewall/python-bandit-scan@v2.1 + with: # optional arguments + # Github token of the repository (automatically created by Github) + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. path: "." level: high confidence: high - exit_zero: true + # exit with 0, even with results found + exit_zero: true # optional, default is DEFAULT ``` ## Inputs From 637c5c47ee5038648892a14934bd95be222ff086 Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Wed, 2 Oct 2024 23:31:54 -0700 Subject: [PATCH 09/13] Update README.md Reduce threshold to low in example to improve default. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f991fea..cf2284e 100644 --- a/README.md +++ b/README.md @@ -11,15 +11,15 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: reactive-firewall/python-bandit-scan@v2.1 + uses: reactive-firewall/python-bandit-scan@v2.2 with: # optional arguments # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. path: "." - level: high + level: low confidence: high # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT + # exit_zero: true # optional, default is DEFAULT ``` ## Inputs From c56ff8d84b6e111989d803bbd884a7969363332c Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Tue, 12 Nov 2024 23:37:58 -0800 Subject: [PATCH 10/13] re:re:re updated the usage example in the README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cf2284e..d014525 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: reactive-firewall/python-bandit-scan@v2.2 + uses: reactive-firewall/python-bandit-scan@v2.3 with: # optional arguments # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. @@ -71,5 +71,5 @@ The action will create an artifact containing the sarif output. - :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). - :bow: This action is _also_ based on [python-bandit-scan](https://github.com/shundor/python-bandit-scan) by [shundor](https://github.com/shundor). -- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) ... 🎉 but automated by @dependabot +- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) and ["MrFired"](https://github.com/MrFired) ... 🎉 but automated by [@dependabot[bot]](https://github.com/apps/dependabot) From c5150a28478dcd73a05dec0192befc3d4bf9c0bc Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Thu, 10 Apr 2025 21:53:56 -0700 Subject: [PATCH 11/13] Prepare to merge with upstream fork from shundor/bandit-scan#2 --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3c2edb9..ea32979 100644 --- a/README.md +++ b/README.md @@ -12,11 +12,11 @@ To run a bandit scan include a step like this: ```yaml uses: shundor/bandit-action@v1 - with: + with: path: "." level: high confidence: high - exit_zero: true + exit_zero: true ``` ## Inputs @@ -66,4 +66,5 @@ The action will create an artifact containing the sarif output. ## Credits -- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). \ No newline at end of file +- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). +- :bow: This action also includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) and ["MrFired"](https://github.com/MrFired) ... 🎉 but automated by [@dependabot[bot]](https://github.com/apps/dependabot) From ad6fae3ac4fbb0afe7d4452ad933c3b86985b01e Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Thu, 10 Apr 2025 22:11:27 -0700 Subject: [PATCH 12/13] Backport of dependency automation from reactive-firewall/python-bandit-scan for use by shundor/python-bandit-scan --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7334f73..d95fe56 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: shundor/bandit-action@v1 + uses: shundor/python-bandit-scan@v1 with: # optional arguments path: "." level: high From 11a72c7c18aab77758bf6f5d9456f1018ec107b0 Mon Sep 17 00:00:00 2001 From: "Mr. Walls" Date: Fri, 11 Apr 2025 16:52:16 -0700 Subject: [PATCH 13/13] [REVIEW] Simpler defaults for backported dependabot.yml * Oops! :hear_not_evil: The labels must already be present in the github project settings. (FIXED) * I also don't have write-access so I removed myself from the default assignee; this simplifies the configuration. These are not user-facing changes. --- .github/dependabot.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 926b470..cbcdbba 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,10 +11,7 @@ updates: rebase-strategy: "disabled" # Labels on pull requests for version updates only labels: - - "GitHub" - - "Testing" - assignees: - - "reactive-firewall" + - "enhancement" # choosen as closest exsisting label commit-message: prefix: "[UPDATE] " include: "scope"