-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yml
More file actions
107 lines (100 loc) · 3.9 KB
/
action.yml
File metadata and controls
107 lines (100 loc) · 3.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Python Security Auditing
description: Run bandit and pip-audit security scans on Python code and report findings
author: Development Seed
inputs:
tools:
description: Comma-separated tools to run (bandit, pip-audit)
default: bandit,pip-audit
bandit_scan_dirs:
description: Comma-separated directories for bandit to scan
default: .
bandit_severity_threshold:
description: Minimum bandit severity that blocks the job (high, medium, low)
default: high
pip_audit_block_on:
description: When to block on pip-audit findings — fixable, all, or none
default: fixable
package_manager:
description: How to resolve dependencies for pip-audit (uv, pip, poetry, pipenv, requirements)
default: requirements
requirements_file:
description: Path to requirements file when package_manager=requirements
default: requirements.txt
comment_on:
description: When to post a PR comment — never, blocking (only when issues block the job), or always
default: 'never'
github_token:
description: GitHub token used for posting PR comments
default: ${{ github.token }}
working_directory:
description: Directory to run the audit from (useful when the project is in a subdirectory)
default: '.'
artifact_name:
description: Name of the artifact uploaded by the action
default: security-audit-reports
debug:
description: Enable debug logging for the Python audit module
default: 'false'
runs:
using: composite
steps:
- name: Resolve bandit targets
if: contains(inputs.tools, 'bandit')
id: resolve-targets
shell: bash
env:
WORKING_DIRECTORY: ${{ inputs.working_directory }}
BANDIT_SCAN_DIRS: ${{ inputs.bandit_scan_dirs }}
run: |
if [[ "$WORKING_DIRECTORY" == "." ]]; then
echo "targets=$BANDIT_SCAN_DIRS" >> "$GITHUB_OUTPUT"
else
resolved=""
IFS=',' read -ra parts <<< "$BANDIT_SCAN_DIRS"
for part in "${parts[@]}"; do
[[ "$part" == "." ]] && t="$WORKING_DIRECTORY" || t="$WORKING_DIRECTORY/$part"
resolved="${resolved:+$resolved }$t"
done
echo "targets=$resolved" >> "$GITHUB_OUTPUT"
fi
- name: Run Bandit (static security analysis)
if: contains(inputs.tools, 'bandit')
continue-on-error: true
uses: lhoupert/bandit-action@18022d5292d04b21fae1bfa44597b94402ba7365
with:
targets: ${{ steps.resolve-targets.outputs.targets }}
- name: Set up uv
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
with:
python-version: '3.13'
- name: Run security audit
id: audit
shell: bash
continue-on-error: true
working-directory: ${{ inputs.working_directory }}
env:
TOOLS: ${{ inputs.tools }}
BANDIT_SEVERITY_THRESHOLD: ${{ inputs.bandit_severity_threshold }}
BANDIT_SARIF_PATH: ${{ github.workspace }}/results.sarif
PIP_AUDIT_BLOCK_ON: ${{ inputs.pip_audit_block_on }}
PACKAGE_MANAGER: ${{ inputs.package_manager }}
REQUIREMENTS_FILE: ${{ inputs.requirements_file }}
COMMENT_ON: ${{ inputs.comment_on }}
GITHUB_TOKEN: ${{ inputs.github_token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
INPUT_DEBUG: ${{ inputs.debug }}
RUNNER_DEBUG: ${{ runner.debug }}
run: uv run --no-project --with "$GITHUB_ACTION_PATH" python -m python_security_auditing
- name: Upload ${{ inputs.artifact_name }}
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
with:
name: ${{ inputs.artifact_name }}
path: |
${{ inputs.working_directory }}/pip-audit-report.json
${{ github.workspace }}/results.sarif
if-no-files-found: ignore
- name: Fail if blocking issues found
if: steps.audit.outcome == 'failure'
shell: bash
run: exit 1