-
-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Convert to a composite action #10
Conversation
2a61821
to
5229e3c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know enough to approve this. How can we test it?
Convert the current docker container based action into a composite action. A composite action no longer requires a Dockerfile or entrypoint script. The actual action YAML now parameterizes the key selected arguments of Bandit into official inputs into the action. The output of the code scan is to generate a JSON file using Bandit's SARIF format. This can be uploaded and rendered nicely into GitHub's ecosystem as a "Code Scanning" application. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
You can copy-and-paste this example action workflow: As long as you have some vulnerable code in your repo, the results will appear in the Security -> Code scanning tab. For example: |
I totally missed this one, sorry about that. Taking a look now! |
How do you see this working with #6 , I guess that's no longer needed now (which I am totally fine with)? |
Any further thoughts on this one before merging? |
Convert the current docker container based action into a composite action. A composite action no longer requires a Dockerfile or entrypoint script.
The actual action YAML now parameterizes the key selected arguments of Bandit into official inputs into the action.
The output of the code scan is to generate a JSON file using Bandit's SARIF format. This can be uploaded and rendered nicely into GitHub's ecosystem as a "Code Scanning" application.
https://docs.github.com/en/actions/creating-actions/creating-a-composite-action