From 5ecd5da966697adccf1e9281039f58e4e251b7db Mon Sep 17 00:00:00 2001
From: Aurora <5505558+duggalsu@users.noreply.github.com>
Date: Mon, 11 Mar 2024 19:49:24 +0530
Subject: [PATCH 1/2] ci: Added bandit SAST scanning

---
 .github/workflows/pr-security.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml
index 099ebf65..c682062e 100644
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -85,3 +85,21 @@ jobs:
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
+
+      - name: Bandit Scan
+        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        with: # optional arguments
+          # exit with 0, even with results found
+          exit_zero: false # optional, default is DEFAULT
+          # File or directory to run bandit on
+          path: ./src/ # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          level: HIGH # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # confidence: # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          # excluded_paths: # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips: # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path: # optional, default is DEFAULT

From 4802bea43852c1997a766ecf237d909d02639629 Mon Sep 17 00:00:00 2001
From: Aurora <5505558+duggalsu@users.noreply.github.com>
Date: Mon, 11 Mar 2024 19:56:07 +0530
Subject: [PATCH 2/2] ci: Disabled bandit level

---
 .github/workflows/pr-security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml
index c682062e..222eb7fb 100644
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -94,7 +94,7 @@ jobs:
           # File or directory to run bandit on
           path: ./src/ # optional, default is .
           # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
-          level: HIGH # optional, default is UNDEFINED
+          # level: HIGH # optional, default is UNDEFINED
           # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
           # confidence: # optional, default is UNDEFINED
           # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)