feat(bandit): Add Bandit to CI pipeline

Signed-off-by: Scott Schreckengaust <[email protected]>
awslabs · Nov 16, 2023 · 0661fe3 · 0661fe3
1 parent 8ed1d22
commit 0661fe3
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 0 deletions.
diff --git a/.gitattributes b/.gitattributes
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
diff --git a/.gitignore b/.gitignore
diff --git a/.projen/files.json b/.projen/files.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -19,6 +19,7 @@ import {
   buildAutoApproveWorkflow,
   buildOrtToolkitWorkflow,
   runSemGrepWorkflow,
+  runBanditWorkflow,
 } from './projenrc/github-workflows';
 
 // Constants
@@ -94,6 +95,7 @@ buildUpdateContributorsWorkflow(project);
 buildAutoApproveWorkflow(project);
 buildOrtToolkitWorkflow(project);
 runSemGrepWorkflow(project);
+runBanditWorkflow(project);
 
 // Add specific overrides https://projen.io/github.html#actions-versions
 project.github?.actions.set("actions/checkout@v3", "actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744");

diff --git a/projenrc/github-workflows.ts b/projenrc/github-workflows.ts
@@ -346,3 +346,79 @@ export function runSemGrepWorkflow(project: AwsCdkConstructLibrary) {
     }
   }
 }
+
+/**
+ * https://github.com/mdegis/bandit-action
+ * Runs Bandit on the repository.
+ * @param project AwsCdkConstructLibrary
+ */
+export function runBanditWorkflow(project: AwsCdkConstructLibrary) {
+  const bandit: Job = {
+    name: 'bandit/ci',
+    runsOn: ['ubuntu-latest'],
+    // container: {
+    //   image: 'returntocorp/semgrep',
+    // },
+    permissions: {
+      contents: JobPermission.READ,
+      pullRequests: JobPermission.READ,
+      securityEvents: JobPermission.WRITE,
+      actions: JobPermission.READ,
+    },
+    if: "(github.actor != 'dependabot[bot]')",
+
+    steps: [
+      {
+        name: 'Checkout project',
+        uses: 'actions/checkout@v3',
+      },
+      {
+        name: 'Setup Python',
+        uses: 'actions/setup-python@v4',
+      },
+      {
+        name: 'Run Bandit',
+        run: 'bandit --recursive --format html --output bandit-report.html .',
+      },
+      {
+        name: 'Store Bandit as Artifact',
+        uses: 'actions/upload-artifact@v3',
+        with: {
+          name: 'bandit-report.html',
+          path: 'bandit-report.html',
+        },
+      },
+      // `awslabs` has the Advanced Security disabled.
+      // {
+      //   name: 'Upload SARIF file for GitHub Advanced Security Dashboard',
+      //   uses: 'github/codeql-action/upload-sarif@v2',
+      //   with: {
+      //     sarif_file: 'semgrep.sarif',
+      //   },
+      //   if: 'always()',
+      // },
+    ],
+  };
+
+  if (project.github) {
+    const workflow = project.github.addWorkflow('bandit');
+    if (workflow) {
+      workflow.on({
+        pullRequest: {},
+        workflowDispatch: {
+        },
+        push: {
+          branches: [
+            'main',
+          ],
+        },
+        schedule: [
+          { cron: '20 17 * * *' },
+        ],
+      });
+      workflow.addJobs({
+        bandit: bandit,
+      });
+    }
+  }
+}