Bandit Reviewdog Action

This action runs Bandit, a security linter for Python code, and integrates with reviewdog to provide inline comments on pull requests. It is built using action composition for release automation.

If you want to create your own reviewdog action from scratch without using this template, please check and copy release automation flow. It's important to manage release workflow and sync reviewdog version for all reviewdog actions.

This repo contains a sample action to run misspell.

Input

inputs:
  github_token:
    description: "GITHUB_TOKEN"
    default: "${{ github.token }}"
  workdir:
    description: "Working directory relative to the root directory."
    default: "."
  bandit_config:
    description: "Path to Bandit configuration file."
    default: "pyproject.toml"
  bandit_flags:
    description: "Additional flags for Bandit."
    default: ""
  verbose:
    description: "Enable verbose mode."
    default: "false"
  ### Flags for reviewdog ###
  tool_name:
    description: "Tool name to use for reviewdog reporter."
    default: "bandit"
  level:
    description: "Report level for reviewdog [info,warning,error]."
    default: "error"
  reporter:
    description: "Reporter for reviewdog [github-check,github-pr-review,github-pr-check]."
    default: "github-check"
  filter_mode:
    description: "Filtering mode for reviewdog [added,diff_context,file,nofilter]."
    default: "added"
  fail_on_error:
    description: "Exit code for reviewdog when errors are found [true,false]."
    default: "false"
  reviewdog_flags:
    description: "Additional reviewdog flags."
    default: ""

Usage

name: Run Bandit
on: [pull_request]
jobs:
  bandit:
    name: Bandit Security Check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: brunohaf/action-bandit@v1
        with:
          github_token: ${{ secrets.github_token }}
          # Change reviewdog reporter if needed [github-check,github-pr-review,github-pr-check]
          reporter: github-pr-review
          # Change reporter level if needed
          # GitHub Status Check won't become a failure with warning level
          level: warning

Development

Release

haya14busa/action-bumpr

This action updates major/minor release tags on a tag push. For example, it updates the v1 and v1.2 tags when v1.2.3 is released.

haya14busa/action-update-semver

This action updates major/minor release tags on a tag push. e.g. Update v1 and v1.2 tag when released v1.2.3. ref: https://help.github.com/en/articles/about-actions#versioning-your-action

Lint - reviewdog integration

This reviewdog action itself is integrated with reviewdog to run lints which is useful for action composition based actions.

Supported linters:

• reviewdog/action-shellcheck
• reviewdog/action-shfmt
• reviewdog/action-actionlint
• reviewdog/action-misspell
• reviewdog/action-alex

Dependencies Update Automation

This repository uses reviewdog/action-depup to update reviewdog version.