diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 5c0d674..0000000 --- a/Dockerfile +++ /dev/null @@ -1,10 +0,0 @@ -FROM python:3.8-slim - -LABEL "maintainer"="PyCQA " -LABEL "repository"="https://github.com/PyCQA/bandit-action" -LABEL "homepage"="https://github.com/PyCQA/bandit-action" - -RUN pip install bandit - -ADD entrypoint.sh /entrypoint.sh -ENTRYPOINT ["/entrypoint.sh"] diff --git a/action.yml b/action.yml index 7e835d3..1e529e8 100644 --- a/action.yml +++ b/action.yml @@ -1,82 +1,144 @@ name: Bandit description: Run Bandit -author: '@ericwb' +author: '@PyCQA' + +branding: + icon: 'shield' + color: 'yellow' inputs: - args: + configfile: + description: | + Optional config file to use for selecting plugins and overriding defaults + required: false + default: 'DEFAULT' + profile: + description: | + Profile to use (defaults to executing all tests) + required: false + default: 'DEFAULT' + tests: + description: | + Comma-separated list of test IDs to run + required: false + default: 'DEFAULT' + skips: + description: | + Comma-separated list of test IDs to skip + required: false + default: 'DEFAULT' + severity: + description: | + Report only issues of a given severity level or higher. "all" and "low" + are likely to produce the same results, but it is possible for rules to + be undefined which will not be listed in "low". Options include: + {all, high, medium, low} + required: false + default: 'DEFAULT' + confidence: + description: | + Report only issues of a given confidence level or higher. "all" and "low" + are likely to produce the same results, but it is possible for rules to + be undefined which will not be listed in "low". Options include: + {all, high, medium, low} + required: false + default: 'DEFAULT' + exclude: + description: | + Comma-separated list of paths (glob patterns supported) to exclude from + scan (note that these are in addition to the excluded paths provided in + the config file) + required: false + default: '.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg' + baseline: + description: | + Path of a baseline report to compare against (only JSON-formatted files + are accepted) + required: false + default: 'DEFAULT' + ini: description: | - Optional arguments: - -r, --recursive find and process files in subdirectories - -a {file,vuln}, --aggregate {file,vuln} - aggregate output by vulnerability (default) or by - filename - -n CONTEXT_LINES, --number CONTEXT_LINES - maximum number of code lines to output for each issue - -c CONFIG_FILE, --configfile CONFIG_FILE - optional config file to use for selecting plugins and - overriding defaults - -p PROFILE, --profile PROFILE - profile to use (defaults to executing all tests) - -t TESTS, --tests TESTS - comma-separated list of test IDs to run - -s SKIPS, --skip SKIPS - comma-separated list of test IDs to skip - -l, --level report only issues of a given severity level or higher - (-l for LOW, -ll for MEDIUM, -lll for HIGH) - --severity-level {all,low,medium,high} - report only issues of a given severity level or higher. - "all" and "low" are likely to produce the same results, - but it is possible for rules to be undefined which will - not be listed in "low". - -i, --confidence report only issues of a given confidence level or - higher (-i for LOW, -ii for MEDIUM, -iii for HIGH) - --confidence-level {all,low,medium,high} - report only issues of a given confidence level or higher. - "all" and "low" are likely to produce the same results, - but it is possible for rules to be undefined which will - not be listed in "low". - -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml} - specify output format - --msg-template MSG_TEMPLATE - specify output message template (only usable with - --format custom), see CUSTOM FORMAT section for list - of available values - -o [OUTPUT_FILE], --output [OUTPUT_FILE] - write report to filename - -v, --verbose output extra information like excluded and included - files - -d, --debug turn on debug mode - -q, --quiet, --silent - only show output in the case of an error - --ignore-nosec do not skip lines with # nosec comments - -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS - comma-separated list of paths (glob patterns - supported) to exclude from scan (note that these are - in addition to the excluded paths provided in the - config file) (default: - .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - -b BASELINE, --baseline BASELINE - path of a baseline report to compare against (only - JSON-formatted files are accepted) - --ini INI_PATH path to a .bandit file that supplies command line - arguments - --exit-zero exit with 0, even with results found - --version show program's version number and exit + Path to a .bandit file that supplies command line arguments required: false - default: '-h' + default: 'DEFAULT' targets: description: | Source file(s) or directory(s) to be tested required: true + default: '.' runs: - using: docker - image: Dockerfile - args: - - ${{ inputs.args }} - env: - TARGETS: ${{ inputs.targets }} + using: composite + steps: + - name: Set up Python 3.8 + uses: actions/setup-python@v5 + with: + python-version: 3.8 -branding: - icon: 'shield' - color: 'yellow' + - name: Install Bandit + shell: bash + run: pip install bandit[sarif] + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Bandit + shell: bash + run: | + if [ "$INPUT_CONFIGFILE" == "DEFAULT" ]; then + CONFIGFILE="" + else + CONFIGFILE="-c $INPUT_CONFIGFILE" + fi + if [ "$INPUT_PROFILE" == "DEFAULT" ]; then + PROFILE="" + else + PROFILE="-p $INPUT_PROFILE" + fi + if [ "$INPUT_TESTS" == "DEFAULT" ]; then + TESTS="" + else + TESTS="-t $INPUT_TESTS" + fi + if [ "$INPUT_SKIPS" == "DEFAULT" ]; then + SKIPS="" + else + SKIPS="-s $INPUT_SKIPS" + fi + if [ "$INPUT_SEVERITY" == "DEFAULT" ]; then + SEVERITY="" + else + SEVERITY="--severity-level $INPUT_SEVERITY" + fi + if [ "$INPUT_CONFIDENCE" == "DEFAULT" ]; then + CONFIDENCE="" + else + CONFIDENCE="--confidence-level $INPUT_CONFIDENCE" + fi + if [ "$INPUT_BASELINE" == "DEFAULT" ]; then + BASELINE="" + else + BASELINE="-b $INPUT_BASELINE" + fi + if [ "$INPUT_INI" == "DEFAULT" ]; then + INI="" + else + INI="--ini $INPUT_INI" + fi + bandit $CONFIGFILE $PROFILE $TESTS $SKIPS $SEVERITY $CONFIDENCE -x $INPUT_EXCLUDE $BASELINE $INI -r $INPUT_TARGETS -f sarif -o results.sarif || true + env: + INPUT_CONFIGFILE: ${{ inputs.configfile }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_TESTS: ${{ inputs.tests }} + INPUT_SKIPS: ${{ inputs.skips }} + INPUT_SEVERITY: ${{ inputs.severity }} + INPUT_CONFIDENCE: ${{ inputs.confidence }} + INPUT_EXCLUDE: ${{ inputs.exclude }} + INPUT_BASELINE: ${{ inputs.baseline }} + INPUT_INI: ${{ inputs.ini }} + INPUT_TARGETS: ${{ inputs.targets }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/entrypoint.sh b/entrypoint.sh deleted file mode 100644 index 5321f2d..0000000 --- a/entrypoint.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -set -e - -sh -c "bandit $*"