Skip to content

Bandit Python Scans #20

Bandit Python Scans

Bandit Python Scans #20

Workflow file for this run

name: Bandit Python Scans
on:
push:
pull_request:
schedule:
# Tuesdays at 9AM PST. GitHub Actions run in UTC.
- cron: '0 16 * * 2'
# Read only default permissions.
permissions: read-all
jobs:
bandit:
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Python 3.x
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.x"
- name: Install Python dependencies
run: pip install -r requirements.txt
- name: Run Bandit
run: |
bandit -r -c .github/bandit.yml \
-f sarif -o bandit_scan_results.sarif \
scripts
# Bandit will exit 1 if it detects issues. Our goal is to triage issues with the GitHub
# code scanning dashboard. Always continue to the archive and dashboard upload steps.
continue-on-error: true
- name: Archive scan results
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: bandit_scan_results
path: bandit_scan_results.sarif
retention-days: 10
- name: Upload to code-scanning dashboard
uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
sarif_file: bandit_scan_results.sarif