diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..926b470 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "github-actions" # See documentation for possible values + directory: "/" # Location of action.yml + target-branch: "main" + rebase-strategy: "disabled" + # Labels on pull requests for version updates only + labels: + - "GitHub" + - "Testing" + assignees: + - "reactive-firewall" + commit-message: + prefix: "[UPDATE] " + include: "scope" + schedule: + interval: "weekly" + day: "tuesday" diff --git a/README.md b/README.md index 3c2edb9..d014525 100644 --- a/README.md +++ b/README.md @@ -11,12 +11,15 @@ Bandit is a tool designed to find common security issues in Python code. This ac To run a bandit scan include a step like this: ```yaml - uses: shundor/bandit-action@v1 - with: + uses: reactive-firewall/python-bandit-scan@v2.3 + with: # optional arguments + # Github token of the repository (automatically created by Github) + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. path: "." - level: high + level: low confidence: high - exit_zero: true + # exit with 0, even with results found + # exit_zero: true # optional, default is DEFAULT ``` ## Inputs @@ -66,4 +69,7 @@ The action will create an artifact containing the sarif output. ## Credits -- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). \ No newline at end of file +- :bow: This action is based on [bandit-action](https://github.com/mdegis/bandit-action) by [Melih Değiş](https://github.com/mdegis/). +- :bow: This action is _also_ based on [python-bandit-scan](https://github.com/shundor/python-bandit-scan) by [shundor](https://github.com/shundor). +- :bow: This fork includes fixes proposed by [Kenta Nakase](https://github.com/parroty) and [Thiago Grisolfi](https://github.com/Grisolfi) and ["MrFired"](https://github.com/MrFired) ... 🎉 but automated by [@dependabot[bot]](https://github.com/apps/dependabot) + diff --git a/action.yml b/action.yml index df686a5..5a76acb 100644 --- a/action.yml +++ b/action.yml @@ -1,4 +1,4 @@ -name: 'Bandit Scan' +name: 'Python Bandit Scan' description: 'Bandit Scan' branding: icon: arrow-left @@ -32,6 +32,10 @@ inputs: description: 'path to a .bandit file that supplies command line arguments' required: false default: 'DEFAULT' + config_path: + description: 'path to a YAML or TOML file that supplies command line arguments' + required: false + default: 'DEFAULT' GITHUB_TOKEN: description: 'Github token of the repository (automatically created by Github)' required: true @@ -102,7 +106,13 @@ runs: else INI_PATH="--ini $INPUT_INI_PATH" fi - bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH + + if [ "$INPUT_CONFIG_PATH" == "DEFAULT" ]; then + CONFIG_PATH="" + else + CONFIG_PATH="-c $INPUT_CONFIG_PATH" + fi + bandit -f sarif -o results.sarif -r $INPUT_PATH $LEVEL $CONFIDENCE $EXCLUDED_PATHS $EXIT_ZERO $SKIPS $INI_PATH $CONFIG_PATH env: INPUT_PATH: ${{ inputs.path }} INPUT_LEVEL: ${{ inputs.level }} @@ -110,16 +120,18 @@ runs: INPUT_EXCLUDED_PATHS: ${{ inputs.excluded_paths }} INPUT_EXIT_ZERO: ${{ inputs.exit_zero }} INPUT_SKIPS: ${{ inputs.skips }} - INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_INI_PATH: ${{ inputs.ini_path }} + INPUT_CONFIG_PATH: ${{ inputs.config_path }} - name: Upload artifact - uses: actions/upload-artifact@main + uses: actions/upload-artifact@v4 with: name: results.sarif path: results.sarif + overwrite: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif