diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 08dec0bb..a791a0c7 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -18,6 +18,16 @@ permissions: on: push: branches: [ "main" ] + pull_request: + branches: + - main + - development + - hotfix + types: + - opened + - synchronize + - reopened + - ready_for_review schedule: - cron: '55 4 * * 2' @@ -36,9 +46,11 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 + env: + EXIT_ZERO_VAL: ${{ (github.event_name != 'pull_request') && true || false }} with: # optional arguments - # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT + # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) + exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. # File or directory to run bandit on diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml index 14adedf9..af8ee579 100644 --- a/.github/workflows/pr-security.yml +++ b/.github/workflows/pr-security.yml @@ -97,20 +97,20 @@ jobs: with: sarif_file: 'trivy-results.sarif' - - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 - with: # optional arguments - # exit with 0, even with results found - exit_zero: false # optional, default is DEFAULT - # File or directory to run bandit on - path: ./src/ # optional, default is . - # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # level: HIGH # optional, default is UNDEFINED - # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # confidence: # optional, default is UNDEFINED - # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - # excluded_paths: # optional, default is DEFAULT - # comma-separated list of test IDs to skip - # skips: # optional, default is DEFAULT - # path to a .bandit file that supplies command line arguments - # ini_path: # optional, default is DEFAULT +# - name: Bandit Scan +# uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 +# with: # optional arguments +# # exit with 0, even with results found +# exit_zero: false # optional, default is DEFAULT +# # File or directory to run bandit on +# path: ./src/ # optional, default is . +# # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) +# # level: HIGH # optional, default is UNDEFINED +# # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) +# # confidence: # optional, default is UNDEFINED +# # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) +# # excluded_paths: # optional, default is DEFAULT +# # comma-separated list of test IDs to skip +# # skips: # optional, default is DEFAULT +# # path to a .bandit file that supplies command line arguments +# # ini_path: # optional, default is DEFAULT