Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convert to a composite action #10

Merged
merged 1 commit into from
Jun 23, 2024
Merged

Conversation

ericwb
Copy link
Member

@ericwb ericwb commented May 2, 2024

Convert the current docker container based action into a composite action. A composite action no longer requires a Dockerfile or entrypoint script.

The actual action YAML now parameterizes the key selected arguments of Bandit into official inputs into the action.

The output of the code scan is to generate a JSON file using Bandit's SARIF format. This can be uploaded and rendered nicely into GitHub's ecosystem as a "Code Scanning" application.

https://docs.github.com/en/actions/creating-actions/creating-a-composite-action

@ericwb ericwb force-pushed the composite-action branch 3 times, most recently from 2a61821 to 5229e3c Compare May 2, 2024 23:41
Copy link
Member

@sigmavirus24 sigmavirus24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know enough to approve this. How can we test it?

Convert the current docker container based action into a composite
action. A composite action no longer requires a Dockerfile or
entrypoint script.

The actual action YAML now parameterizes the key selected arguments of
Bandit into official inputs into the action.

The output of the code scan is to generate a JSON file using Bandit's
SARIF format. This can be uploaded and rendered nicely into GitHub's
ecosystem as a "Code Scanning" application.

https://docs.github.com/en/actions/creating-actions/creating-a-composite-action

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb
Copy link
Member Author

ericwb commented May 3, 2024

I don't know enough to approve this. How can we test it?

You can copy-and-paste this example action workflow:
https://github.com/securesauce/examples/blob/main/.github/workflows/bandit.yml

As long as you have some vulnerable code in your repo, the results will appear in the Security -> Code scanning tab. For example:
https://github.com/securesauce/examples/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3ABandit

@lukehinds
Copy link
Member

I totally missed this one, sorry about that. Taking a look now!

@lukehinds
Copy link
Member

How do you see this working with #6 , I guess that's no longer needed now (which I am totally fine with)?

@ericwb
Copy link
Member Author

ericwb commented Jun 5, 2024

How do you see this working with #6 , I guess that's no longer needed now (which I am totally fine with)?

Correct, this is an alternative to #6. And leverages much of the native code scanning functionality to show the results.

@ericwb
Copy link
Member Author

ericwb commented Jun 23, 2024

Any further thoughts on this one before merging?

@ericwb ericwb merged commit c8f094f into PyCQA:main Jun 23, 2024
@ericwb ericwb deleted the composite-action branch June 23, 2024 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants