Run Python Bandit scan on your codebase.
Bandit is a tool designed to find common security issues in Python code. This action will run Bandit on your codebase. The results of the scan will be found under the Security tab of your repository.
To run a bandit scan include a step like this:
uses: reactive-firewall/python-bandit-scan@v2.3
with: # optional arguments
# Github token of the repository (automatically created by Github)
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
path: "."
level: low
confidence: high
# exit with 0, even with results found
# exit_zero: true # optional, default is DEFAULT
Optional The path to run bandit on
Default "."
Optional Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything).
Default "UNDEFINED"
Optional Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything).
Default "UNDEFINED"
Optional Comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default is from the Bandit itself)
Default ".svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg"
Optional Exit with 0, even with results found (set "true"
to use it)
Optional Comma-separated list of test IDs to skip
Optional Path to a .bandit file that supplies command line arguments
The action will create an artifact containing the sarif output.
- 🙇 This action is based on bandit-action by Melih Değiş.
- 🙇 This action is also based on python-bandit-scan by shundor.
- 🙇 This fork includes fixes proposed by Kenta Nakase and Thiago Grisolfi and "MrFired" ... 🎉 but automated by @dependabot[bot]