From e441f2e14291451d70b61ca955dae71ecc3646cd Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 15:47:09 +0530 Subject: [PATCH 1/7] ci: Fix bandit to run from single workflow - Added bandit.yml to run on PR - Disabled bandit from pr-security.yml --- .github/workflows/bandit.yml | 10 +++++++++ .github/workflows/pr-security.yml | 34 +++++++++++++++---------------- 2 files changed, 27 insertions(+), 17 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 08dec0bb..dbbd6e97 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -18,6 +18,16 @@ permissions: on: push: branches: [ "main" ] + pull_request: + branches: + - main + - development + - hotfix + types: + - opened + - synchronize + - reopened + - ready_for_review schedule: - cron: '55 4 * * 2' diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml index 14adedf9..af8ee579 100644 --- a/.github/workflows/pr-security.yml +++ b/.github/workflows/pr-security.yml @@ -97,20 +97,20 @@ jobs: with: sarif_file: 'trivy-results.sarif' - - name: Bandit Scan - uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 - with: # optional arguments - # exit with 0, even with results found - exit_zero: false # optional, default is DEFAULT - # File or directory to run bandit on - path: ./src/ # optional, default is . - # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # level: HIGH # optional, default is UNDEFINED - # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # confidence: # optional, default is UNDEFINED - # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - # excluded_paths: # optional, default is DEFAULT - # comma-separated list of test IDs to skip - # skips: # optional, default is DEFAULT - # path to a .bandit file that supplies command line arguments - # ini_path: # optional, default is DEFAULT +# - name: Bandit Scan +# uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 +# with: # optional arguments +# # exit with 0, even with results found +# exit_zero: false # optional, default is DEFAULT +# # File or directory to run bandit on +# path: ./src/ # optional, default is . +# # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) +# # level: HIGH # optional, default is UNDEFINED +# # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) +# # confidence: # optional, default is UNDEFINED +# # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) +# # excluded_paths: # optional, default is DEFAULT +# # comma-separated list of test IDs to skip +# # skips: # optional, default is DEFAULT +# # path to a .bandit file that supplies command line arguments +# # ini_path: # optional, default is DEFAULT From 764b8bbf79a9caa3f3445ad9d1981309739704ea Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:06:40 +0530 Subject: [PATCH 2/7] - Added conditional exit_zero for bandit --- .github/workflows/bandit.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index dbbd6e97..e316629c 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -46,9 +46,11 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 + env: + EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && false || true }} with: # optional arguments - # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT + # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) + exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. # File or directory to run bandit on From 68923a683dffaeecb2697e51f7d5be16a7e51141 Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:16:18 +0530 Subject: [PATCH 3/7] - Fix env var boolean setting --- .github/workflows/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index e316629c..5cb7851b 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -47,7 +47,7 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 env: - EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && false || true }} + EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && ${{ false }} || ${{ true }} }} with: # optional arguments # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT From f85d164d8237b8a01d2f3ffa72c82c383f5268cd Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:38:04 +0530 Subject: [PATCH 4/7] - Set conditional falsy and truthy values --- .github/workflows/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 5cb7851b..a7fbfc5a 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -47,7 +47,7 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 env: - EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && ${{ false }} || ${{ true }} }} + EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && 0 || 1 }} with: # optional arguments # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT From 7f1315a3318f71cc4d915f974369a97c2e392f83 Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:42:32 +0530 Subject: [PATCH 5/7] - Test switch conditional values --- .github/workflows/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index a7fbfc5a..001e2c28 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -47,7 +47,7 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 env: - EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && 0 || 1 }} + EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && true || false }} with: # optional arguments # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT From 2d488971013c8cdccc0fd84f320ad012571a7f9e Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:49:08 +0530 Subject: [PATCH 6/7] - Modify env settings --- .github/workflows/bandit.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 001e2c28..27cbc704 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -39,6 +39,9 @@ jobs: # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest + env: + EXIT_ZERO_VAL: true + steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -46,8 +49,9 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 + if: github.event_name == 'pull_request' env: - EXIT_ZERO_VAL: ${{ (github.event_name == 'pull_request') && true || false }} + EXIT_ZERO_VAL: false with: # optional arguments # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT From fe03cb5059c53771f7d8f32098f678795be9037c Mon Sep 17 00:00:00 2001 From: Aurora <5505558+duggalsu@users.noreply.github.com> Date: Fri, 22 Mar 2024 18:22:10 +0530 Subject: [PATCH 7/7] - Test inverted ternary operator --- .github/workflows/bandit.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 27cbc704..a791a0c7 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -39,9 +39,6 @@ jobs: # actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest - env: - EXIT_ZERO_VAL: true - steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -49,9 +46,8 @@ jobs: - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c # v1.0 - if: github.event_name == 'pull_request' env: - EXIT_ZERO_VAL: false + EXIT_ZERO_VAL: ${{ (github.event_name != 'pull_request') && true || false }} with: # optional arguments # exit with 1 on pull request, else exit with 0 even if results found (on push to main or cron job) exit_zero: env.EXIT_ZERO_VAL # optional, default is DEFAULT