From b4996708a305f980f284ad13f7c0bd0da7dec08d Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Thu, 2 May 2024 15:58:32 -0700 Subject: [PATCH] Convert to a composite action Convert the current docker container based action into a composite action. A composite action no longer requires a Dockerfile or entrypoint script. The actual action YAML now parameterizes the key selected arguments of Bandit into official inputs into the action. The output of the code scan is to generate a JSON file using Bandit's SARIF format. This can be uploaded and rendered nicely into GitHub's ecosystem as a "Code Scanning" application. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action Signed-off-by: Eric Brown --- Dockerfile | 10 --- action.yml | 200 +++++++++++++++++++++++++++++++++----------------- entrypoint.sh | 5 -- 3 files changed, 131 insertions(+), 84 deletions(-) delete mode 100644 Dockerfile delete mode 100644 entrypoint.sh diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 5c0d674..0000000 --- a/Dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -FROM python:3.8-slim - -LABEL "maintainer"="PyCQA " -LABEL "repository"="https://github.com/PyCQA/bandit-action" -LABEL "homepage"="https://github.com/PyCQA/bandit-action" - -RUN pip install bandit - -ADD entrypoint.sh /entrypoint.sh -ENTRYPOINT ["/entrypoint.sh"] diff --git a/action.yml b/action.yml index 7e835d3..1e529e8 100644 --- a/action.yml +++ b/action.yml @@ -1,82 +1,144 @@ name: Bandit description: Run Bandit -author: '@ericwb' +author: '@PyCQA' + +branding: + icon: 'shield' + color: 'yellow' inputs: - args: + configfile: + description: | + Optional config file to use for selecting plugins and overriding defaults + required: false + default: 'DEFAULT' + profile: + description: | + Profile to use (defaults to executing all tests) + required: false + default: 'DEFAULT' + tests: + description: | + Comma-separated list of test IDs to run + required: false + default: 'DEFAULT' + skips: + description: | + Comma-separated list of test IDs to skip + required: false + default: 'DEFAULT' + severity: + description: | + Report only issues of a given severity level or higher. "all" and "low" + are likely to produce the same results, but it is possible for rules to + be undefined which will not be listed in "low". Options include: + {all, high, medium, low} + required: false + default: 'DEFAULT' + confidence: + description: | + Report only issues of a given confidence level or higher. "all" and "low" + are likely to produce the same results, but it is possible for rules to + be undefined which will not be listed in "low". Options include: + {all, high, medium, low} + required: false + default: 'DEFAULT' + exclude: + description: | + Comma-separated list of paths (glob patterns supported) to exclude from + scan (note that these are in addition to the excluded paths provided in + the config file) + required: false + default: '.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg' + baseline: + description: | + Path of a baseline report to compare against (only JSON-formatted files + are accepted) + required: false + default: 'DEFAULT' + ini: description: | - Optional arguments: - -r, --recursive find and process files in subdirectories - -a {file,vuln}, --aggregate {file,vuln} - aggregate output by vulnerability (default) or by - filename - -n CONTEXT_LINES, --number CONTEXT_LINES - maximum number of code lines to output for each issue - -c CONFIG_FILE, --configfile CONFIG_FILE - optional config file to use for selecting plugins and - overriding defaults - -p PROFILE, --profile PROFILE - profile to use (defaults to executing all tests) - -t TESTS, --tests TESTS - comma-separated list of test IDs to run - -s SKIPS, --skip SKIPS - comma-separated list of test IDs to skip - -l, --level report only issues of a given severity level or higher - (-l for LOW, -ll for MEDIUM, -lll for HIGH) - --severity-level {all,low,medium,high} - report only issues of a given severity level or higher. - "all" and "low" are likely to produce the same results, - but it is possible for rules to be undefined which will - not be listed in "low". - -i, --confidence report only issues of a given confidence level or - higher (-i for LOW, -ii for MEDIUM, -iii for HIGH) - --confidence-level {all,low,medium,high} - report only issues of a given confidence level or higher. - "all" and "low" are likely to produce the same results, - but it is possible for rules to be undefined which will - not be listed in "low". - -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml} - specify output format - --msg-template MSG_TEMPLATE - specify output message template (only usable with - --format custom), see CUSTOM FORMAT section for list - of available values - -o [OUTPUT_FILE], --output [OUTPUT_FILE] - write report to filename - -v, --verbose output extra information like excluded and included - files - -d, --debug turn on debug mode - -q, --quiet, --silent - only show output in the case of an error - --ignore-nosec do not skip lines with # nosec comments - -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS - comma-separated list of paths (glob patterns - supported) to exclude from scan (note that these are - in addition to the excluded paths provided in the - config file) (default: - .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - -b BASELINE, --baseline BASELINE - path of a baseline report to compare against (only - JSON-formatted files are accepted) - --ini INI_PATH path to a .bandit file that supplies command line - arguments - --exit-zero exit with 0, even with results found - --version show program's version number and exit + Path to a .bandit file that supplies command line arguments required: false - default: '-h' + default: 'DEFAULT' targets: description: | Source file(s) or directory(s) to be tested required: true + default: '.' runs: - using: docker - image: Dockerfile - args: - - ${{ inputs.args }} - env: - TARGETS: ${{ inputs.targets }} + using: composite + steps: + - name: Set up Python 3.8 + uses: actions/setup-python@v5 + with: + python-version: 3.8 -branding: - icon: 'shield' - color: 'yellow' + - name: Install Bandit + shell: bash + run: pip install bandit[sarif] + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Bandit + shell: bash + run: | + if [ "$INPUT_CONFIGFILE" == "DEFAULT" ]; then + CONFIGFILE="" + else + CONFIGFILE="-c $INPUT_CONFIGFILE" + fi + if [ "$INPUT_PROFILE" == "DEFAULT" ]; then + PROFILE="" + else + PROFILE="-p $INPUT_PROFILE" + fi + if [ "$INPUT_TESTS" == "DEFAULT" ]; then + TESTS="" + else + TESTS="-t $INPUT_TESTS" + fi + if [ "$INPUT_SKIPS" == "DEFAULT" ]; then + SKIPS="" + else + SKIPS="-s $INPUT_SKIPS" + fi + if [ "$INPUT_SEVERITY" == "DEFAULT" ]; then + SEVERITY="" + else + SEVERITY="--severity-level $INPUT_SEVERITY" + fi + if [ "$INPUT_CONFIDENCE" == "DEFAULT" ]; then + CONFIDENCE="" + else + CONFIDENCE="--confidence-level $INPUT_CONFIDENCE" + fi + if [ "$INPUT_BASELINE" == "DEFAULT" ]; then + BASELINE="" + else + BASELINE="-b $INPUT_BASELINE" + fi + if [ "$INPUT_INI" == "DEFAULT" ]; then + INI="" + else + INI="--ini $INPUT_INI" + fi + bandit $CONFIGFILE $PROFILE $TESTS $SKIPS $SEVERITY $CONFIDENCE -x $INPUT_EXCLUDE $BASELINE $INI -r $INPUT_TARGETS -f sarif -o results.sarif || true + env: + INPUT_CONFIGFILE: ${{ inputs.configfile }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_TESTS: ${{ inputs.tests }} + INPUT_SKIPS: ${{ inputs.skips }} + INPUT_SEVERITY: ${{ inputs.severity }} + INPUT_CONFIDENCE: ${{ inputs.confidence }} + INPUT_EXCLUDE: ${{ inputs.exclude }} + INPUT_BASELINE: ${{ inputs.baseline }} + INPUT_INI: ${{ inputs.ini }} + INPUT_TARGETS: ${{ inputs.targets }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100644 index 5321f2d..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -set -e - -sh -c "bandit $*"