name: "Bandit"
|
|
on:
|
workflow_call:
|
inputs:
|
head_sha:
|
required: true
|
type: string
|
|
env:
|
BANDIT_VERSION: 1.7.8
|
PROJECT_PATH: 'label_studio/'
|
REPORT_PATH: 'bandit_results/bandit_security_report.txt'
|
ACTIONS_STEP_DEBUG: '${{ secrets.ACTIONS_STEP_DEBUG }}'
|
|
jobs:
|
bandit:
|
name: "Bandit"
|
timeout-minutes: 5
|
runs-on: ubuntu-latest
|
steps:
|
- uses: hmarr/debug-action@v3.0.0
|
|
- name: Checkout
|
uses: actions/checkout@v6
|
with:
|
ref: ${{ inputs.head_sha }}
|
|
- name: Set up Python
|
uses: actions/setup-python@v6
|
with:
|
python-version: '3.13'
|
|
- name: Install Bandit
|
run: |
|
pip install bandit==$BANDIT_VERSION
|
|
- name: Run Bandit
|
run: |
|
mkdir -p bandit_results
|
touch ${{ env.REPORT_PATH }}
|
bandit -r $PROJECT_PATH -o ${{ env.REPORT_PATH }} -f 'txt' -ll
|
|
- name: Print scan results
|
if: always()
|
run: cat ${{ env.REPORT_PATH }}
|
|
- uses: actions/upload-artifact@v6
|
if: always()
|
with:
|
name: Security check results
|
path: ${{ env.REPORT_PATH }}
|
