Convert to a composite action (#10)

Convert the current docker container based action into a composite
action. A composite action no longer requires a Dockerfile or
entrypoint script.

The actual action YAML now parameterizes the key selected arguments of
Bandit into official inputs into the action.

The output of the code scan is to generate a JSON file using Bandit's
SARIF format. This can be uploaded and rendered nicely into GitHub's
ecosystem as a "Code Scanning" application.

https://docs.github.com/en/actions/creating-actions/creating-a-composite-action

Signed-off-by: Eric Brown <[email protected]>

action.yml

@@ -1,82 +1,144 @@
 name: Bandit
 description: Run Bandit
-author: '@ericwb'
+author: '@PyCQA'
+
+branding:
+  icon: 'shield'
+  color: 'yellow'
 
 inputs: 
-  args:
+  configfile:
+    description: |
+      Optional config file to use for selecting plugins and overriding defaults
+    required: false
+    default: 'DEFAULT'
+  profile:
+    description: |
+      Profile to use (defaults to executing all tests)
+    required: false
+    default: 'DEFAULT'
+  tests:
+    description: |
+      Comma-separated list of test IDs to run
+    required: false
+    default: 'DEFAULT'
+  skips:
+    description: |
+      Comma-separated list of test IDs to skip
+    required: false
+    default: 'DEFAULT'
+  severity:
+    description: |
+      Report only issues of a given severity level or higher. "all" and "low"
+      are likely to produce the same results, but it is possible for rules to
+      be undefined which will not be listed in "low". Options include:
+      {all, high, medium, low}
+    required: false
+    default: 'DEFAULT'
+  confidence:
+    description: |
+      Report only issues of a given confidence level or higher. "all" and "low"
+      are likely to produce the same results, but it is possible for rules to
+      be undefined which will not be listed in "low". Options include:
+      {all, high, medium, low}
+    required: false
+    default: 'DEFAULT'
+  exclude:
+    description: |
+      Comma-separated list of paths (glob patterns supported) to exclude from
+      scan (note that these are in addition to the excluded paths provided in
+      the config file)
+    required: false
+    default: '.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg'
+  baseline:
+    description: |
+      Path of a baseline report to compare against (only JSON-formatted files
+      are accepted)
+    required: false
+    default: 'DEFAULT'
+  ini:
     description: |
-      Optional arguments:
-        -r, --recursive       find and process files in subdirectories
-        -a {file,vuln}, --aggregate {file,vuln}
-                              aggregate output by vulnerability (default) or by
-                              filename
-        -n CONTEXT_LINES, --number CONTEXT_LINES
-                              maximum number of code lines to output for each issue
-        -c CONFIG_FILE, --configfile CONFIG_FILE
-                              optional config file to use for selecting plugins and
-                              overriding defaults
-        -p PROFILE, --profile PROFILE
-                              profile to use (defaults to executing all tests)
-        -t TESTS, --tests TESTS
-                              comma-separated list of test IDs to run
-        -s SKIPS, --skip SKIPS
-                              comma-separated list of test IDs to skip
-        -l, --level           report only issues of a given severity level or higher
-                              (-l for LOW, -ll for MEDIUM, -lll for HIGH)
-        --severity-level {all,low,medium,high}
-                              report only issues of a given severity level or higher.
-                              "all" and "low" are likely to produce the same results,
-                              but it is possible for rules to be undefined which will
-                              not be listed in "low".
-        -i, --confidence      report only issues of a given confidence level or
-                              higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
-        --confidence-level {all,low,medium,high}
-                              report only issues of a given confidence level or higher.
-                              "all" and "low" are likely to produce the same results,
-                              but it is possible for rules to be undefined which will
-                              not be listed in "low".
-        -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml}
-                              specify output format
-        --msg-template MSG_TEMPLATE
-                              specify output message template (only usable with
-                              --format custom), see CUSTOM FORMAT section for list
-                              of available values
-        -o [OUTPUT_FILE], --output [OUTPUT_FILE]
-                              write report to filename
-        -v, --verbose         output extra information like excluded and included
-                              files
-        -d, --debug           turn on debug mode
-        -q, --quiet, --silent
-                              only show output in the case of an error
-        --ignore-nosec        do not skip lines with # nosec comments
-        -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
-                              comma-separated list of paths (glob patterns
-                              supported) to exclude from scan (note that these are
-                              in addition to the excluded paths provided in the
-                              config file) (default:
-                              .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-        -b BASELINE, --baseline BASELINE
-                              path of a baseline report to compare against (only
-                              JSON-formatted files are accepted)
-        --ini INI_PATH        path to a .bandit file that supplies command line
-                              arguments
-        --exit-zero           exit with 0, even with results found
-        --version             show program's version number and exit
+      Path to a .bandit file that supplies command line arguments
     required: false
-    default: '-h'
+    default: 'DEFAULT'
   targets:
     description: |
       Source file(s) or directory(s) to be tested
     required: true
+    default: '.'
 
 runs:
-  using: docker
-  image: Dockerfile
-  args:
-    - ${{ inputs.args }}
-  env:
-    TARGETS: ${{ inputs.targets }}
+  using: composite
+  steps:
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.8
 
-branding:
-  icon: 'shield'
-  color: 'yellow'
+    - name: Install Bandit
+      shell: bash
+      run: pip install bandit[sarif]
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Run Bandit
+      shell: bash
+      run: |
+        if [ "$INPUT_CONFIGFILE" == "DEFAULT" ]; then
+            CONFIGFILE=""
+        else
+            CONFIGFILE="-c $INPUT_CONFIGFILE"
+        fi
+        if [ "$INPUT_PROFILE" == "DEFAULT" ]; then
+            PROFILE=""
+        else
+            PROFILE="-p $INPUT_PROFILE"
+        fi
+        if [ "$INPUT_TESTS" == "DEFAULT" ]; then
+            TESTS=""
+        else
+            TESTS="-t $INPUT_TESTS"
+        fi
+        if [ "$INPUT_SKIPS" == "DEFAULT" ]; then
+            SKIPS=""
+        else
+            SKIPS="-s $INPUT_SKIPS"
+        fi
+        if [ "$INPUT_SEVERITY" == "DEFAULT" ]; then
+            SEVERITY=""
+        else
+            SEVERITY="--severity-level $INPUT_SEVERITY"
+        fi
+        if [ "$INPUT_CONFIDENCE" == "DEFAULT" ]; then
+            CONFIDENCE=""
+        else
+            CONFIDENCE="--confidence-level $INPUT_CONFIDENCE"
+        fi
+        if [ "$INPUT_BASELINE" == "DEFAULT" ]; then
+            BASELINE=""
+        else
+            BASELINE="-b $INPUT_BASELINE"
+        fi
+        if [ "$INPUT_INI" == "DEFAULT" ]; then
+            INI=""
+        else
+            INI="--ini $INPUT_INI"
+        fi
+        bandit $CONFIGFILE $PROFILE $TESTS $SKIPS $SEVERITY $CONFIDENCE -x $INPUT_EXCLUDE $BASELINE $INI -r $INPUT_TARGETS -f sarif -o results.sarif || true
+      env:
+        INPUT_CONFIGFILE: ${{ inputs.configfile }}
+        INPUT_PROFILE: ${{ inputs.profile }}
+        INPUT_TESTS: ${{ inputs.tests }}
+        INPUT_SKIPS: ${{ inputs.skips }}
+        INPUT_SEVERITY: ${{ inputs.severity }}
+        INPUT_CONFIDENCE: ${{ inputs.confidence }}
+        INPUT_EXCLUDE: ${{ inputs.exclude }}
+        INPUT_BASELINE: ${{ inputs.baseline }}
+        INPUT_INI: ${{ inputs.ini }}
+        INPUT_TARGETS: ${{ inputs.targets }}
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif