Convert to a composite action

action.yml

@@ -1,82 +1,144 @@
 name: Bandit
 description: Run Bandit
-author: '@ericwb'
+author: '@PyCQA'
+
+branding:
+  icon: 'shield'
+  color: 'yellow'
 
 inputs: 
-  args:
+  configfile:
+    description: |
+      Optional config file to use for selecting plugins and overriding defaults
+    required: false
+    default: 'DEFAULT'
+  profile:
+    description: |
+      Profile to use (defaults to executing all tests)
+    required: false
+    default: 'DEFAULT'
+  tests:
+    description: |
+      Comma-separated list of test IDs to run
+    required: false
+    default: 'DEFAULT'
+  skips:
+    description: |
+      Comma-separated list of test IDs to skip
+    required: false
+    default: 'DEFAULT'
+  severity:
+    description: |
+      Report only issues of a given severity level or higher. "all" and "low"
+      are likely to produce the same results, but it is possible for rules to
+      be undefined which will not be listed in "low". Options include:
+      {all, high, medium, low}
+    required: false
+    default: 'DEFAULT'
+  confidence:
+    description: |
+      Report only issues of a given confidence level or higher. "all" and "low"
+      are likely to produce the same results, but it is possible for rules to
+      be undefined which will not be listed in "low". Options include:
+      {all, high, medium, low}
+    required: false
+    default: 'DEFAULT'
+  exclude:
+    description: |
+      Comma-separated list of paths (glob patterns supported) to exclude from
+      scan (note that these are in addition to the excluded paths provided in
+      the config file)
+    required: false
+    default: '.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg'
+  baseline:
+    description: |
+      Path of a baseline report to compare against (only JSON-formatted files
+      are accepted)
+    required: false
+    default: 'DEFAULT'
+  ini:
     description: |
-      Optional arguments:
-        -r, --recursive       find and process files in subdirectories
-        -a {file,vuln}, --aggregate {file,vuln}
-                              aggregate output by vulnerability (default) or by
-                              filename
-        -n CONTEXT_LINES, --number CONTEXT_LINES
-                              maximum number of code lines to output for each issue
-        -c CONFIG_FILE, --configfile CONFIG_FILE
-                              optional config file to use for selecting plugins and
-                              overriding defaults
-        -p PROFILE, --profile PROFILE
-                              profile to use (defaults to executing all tests)
-        -t TESTS, --tests TESTS
-                              comma-separated list of test IDs to run
-        -s SKIPS, --skip SKIPS
-                              comma-separated list of test IDs to skip
-        -l, --level           report only issues of a given severity level or higher
-                              (-l for LOW, -ll for MEDIUM, -lll for HIGH)
-        --severity-level {all,low,medium,high}
-                              report only issues of a given severity level or higher.
-                              "all" and "low" are likely to produce the same results,
-                              but it is possible for rules to be undefined which will
-                              not be listed in "low".
-        -i, --confidence      report only issues of a given confidence level or
-                              higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
-        --confidence-level {all,low,medium,high}
-                              report only issues of a given confidence level or higher.
-                              "all" and "low" are likely to produce the same results,
-                              but it is possible for rules to be undefined which will
-                              not be listed in "low".
-        -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml}
-                              specify output format
-        --msg-template MSG_TEMPLATE
-                              specify output message template (only usable with
-                              --format custom), see CUSTOM FORMAT section for list
-                              of available values
-        -o [OUTPUT_FILE], --output [OUTPUT_FILE]
-                              write report to filename
-        -v, --verbose         output extra information like excluded and included
-                              files
-        -d, --debug           turn on debug mode
-        -q, --quiet, --silent
-                              only show output in the case of an error
-        --ignore-nosec        do not skip lines with # nosec comments
-        -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
-                              comma-separated list of paths (glob patterns
-                              supported) to exclude from scan (note that these are
-                              in addition to the excluded paths provided in the
-                              config file) (default:
-                              .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-        -b BASELINE, --baseline BASELINE
-                              path of a baseline report to compare against (only
-                              JSON-formatted files are accepted)
-        --ini INI_PATH        path to a .bandit file that supplies command line
-                              arguments
-        --exit-zero           exit with 0, even with results found
-        --version             show program's version number and exit
+      Path to a .bandit file that supplies command line arguments
     required: false
-    default: '-h'
+    default: 'DEFAULT'
   targets:
     description: |
       Source file(s) or directory(s) to be tested
     required: true
+    default: '.'
 
 runs:
-  using: docker
-  image: Dockerfile
-  args:
-    - ${{ inputs.args }}
-  env:
-    TARGETS: ${{ inputs.targets }}
+  using: composite
+  steps:
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.8
 
-branding:
-  icon: 'shield'
-  color: 'yellow'
+    - name: Install Bandit
+      shell: bash
+      run: pip install bandit[sarif]
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Run Bandit
+      shell: bash
+      run: |
+        if [ "$INPUT_CONFIGFILE" == "DEFAULT" ]; then
+            CONFIGFILE=""
+        else
+            CONFIGFILE="-c $INPUT_CONFIGFILE"
+        fi
+        if [ "$INPUT_PROFILE" == "DEFAULT" ]; then
+            PROFILE=""
+        else
+            PROFILE="-p $INPUT_PROFILE"
+        fi
+        if [ "$INPUT_TESTS" == "DEFAULT" ]; then
+            TESTS=""
+        else
+            TESTS="-t $INPUT_TESTS"
+        fi
+        if [ "$INPUT_SKIPS" == "DEFAULT" ]; then
+            SKIPS=""
+        else
+            SKIPS="-s $INPUT_SKIPS"
+        fi
+        if [ "$INPUT_SEVERITY" == "DEFAULT" ]; then
+            SEVERITY=""
+        else
+            SEVERITY="--severity-level $INPUT_SEVERITY"
+        fi
+        if [ "$INPUT_CONFIDENCE" == "DEFAULT" ]; then
+            CONFIDENCE=""
+        else
+            CONFIDENCE="--confidence-level $INPUT_CONFIDENCE"
+        fi
+        if [ "$INPUT_BASELINE" == "DEFAULT" ]; then
+            BASELINE=""
+        else
+            BASELINE="-b $INPUT_BASELINE"
+        fi
+        if [ "$INPUT_INI" == "DEFAULT" ]; then
+            INI=""
+        else
+            INI="--ini $INPUT_INI"
+        fi
+        bandit $CONFIGFILE $PROFILE $TESTS $SKIPS $SEVERITY $CONFIDENCE -x $INPUT_EXCLUDE $BASELINE $INI -r $INPUT_TARGETS -f sarif -o results.sarif || true
+      env:
+        INPUT_CONFIGFILE: ${{ inputs.configfile }}
+        INPUT_PROFILE: ${{ inputs.profile }}
+        INPUT_TESTS: ${{ inputs.tests }}
+        INPUT_SKIPS: ${{ inputs.skips }}
+        INPUT_SEVERITY: ${{ inputs.severity }}
+        INPUT_CONFIDENCE: ${{ inputs.confidence }}
+        INPUT_EXCLUDE: ${{ inputs.exclude }}
+        INPUT_BASELINE: ${{ inputs.baseline }}
+        INPUT_INI: ${{ inputs.ini }}
+        INPUT_TARGETS: ${{ inputs.targets }}
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif