Merge pull request #237 from tattle-made/hotfix

Hotfix

.github/workflows/bandit.yml

@@ -18,6 +18,16 @@ permissions:
 on:
   push:
     branches: [ "main" ]
+  pull_request:
+    branches:
+      - main
+      - development
+      - hotfix
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
   schedule:
     - cron: '55 4 * * 2'
 
@@ -36,9 +46,11 @@ jobs:
 
       - name: Bandit Scan
         uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0
+        env:
+          EXIT_ZERO_VAL: ${{ (github.event_name != 'pull_request') && true || false }}
         with: # optional arguments
-          # exit with 0, even with results found
-          exit_zero: true # optional, default is DEFAULT
+          # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job)
+          exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT
           # Github token of the repository (automatically created by Github)
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
           # File or directory to run bandit on

.github/workflows/pr-security.yml

@@ -97,20 +97,20 @@ jobs:
         with:
           sarif_file: 'trivy-results.sarif'
 
-      - name: Bandit Scan
-        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0
-        with: # optional arguments
-          # exit with 0, even with results found
-          exit_zero: false # optional, default is DEFAULT
-          # File or directory to run bandit on
-          path: ./src/ # optional, default is .
-          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # level: HIGH # optional, default is UNDEFINED
-          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          # confidence: # optional, default is UNDEFINED
-          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-          # excluded_paths: # optional, default is DEFAULT
-          # comma-separated list of test IDs to skip
-          # skips: # optional, default is DEFAULT
-          # path to a .bandit file that supplies command line arguments
-          # ini_path: # optional, default is DEFAULT
+#      - name: Bandit Scan
+#        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0
+#        with: # optional arguments
+#          # exit with 0, even with results found
+#          exit_zero: false # optional, default is DEFAULT
+#          # File or directory to run bandit on
+#          path: ./src/ # optional, default is .
+#          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+#          # level: HIGH # optional, default is UNDEFINED
+#          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+#          # confidence: # optional, default is UNDEFINED
+#          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+#          # excluded_paths: # optional, default is DEFAULT
+#          # comma-separated list of test IDs to skip
+#          # skips: # optional, default is DEFAULT
+#          # path to a .bandit file that supplies command line arguments
+#          # ini_path: # optional, default is DEFAULT