Skip to content

Merge pull request #213 from intel/dependabot/github_actions/actions/… #22

Merge pull request #213 from intel/dependabot/github_actions/actions/…

Merge pull request #213 from intel/dependabot/github_actions/actions/… #22

Workflow file for this run

name: Bandit Python Scans
on:
push:
pull_request:
schedule:
# Tuesdays at 9AM PST. GitHub Actions run in UTC.
- cron: '0 16 * * 2'
# Read only default permissions.
permissions: read-all
jobs:
bandit:
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Set up Python 3.x
uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
with:
python-version: "3.x"
- name: Install Python dependencies
run: pip install -r requirements.txt
- name: Run Bandit
run: |
bandit -r -c .github/bandit.yml \
-f sarif -o bandit_scan_results.sarif \
scripts
# Bandit will exit 1 if it detects issues. Our goal is to triage issues with the GitHub
# code scanning dashboard. Always continue to the archive and dashboard upload steps.
continue-on-error: true
- name: Archive scan results
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
with:
name: bandit_scan_results
path: bandit_scan_results.sarif
retention-days: 10
- name: Upload to code-scanning dashboard
uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
sarif_file: bandit_scan_results.sarif