From ad30820432cf5cd0fc55ebe2907cc39f885ea000 Mon Sep 17 00:00:00 2001 From: eparshut Date: Fri, 9 Jan 2026 14:21:49 +0100 Subject: [PATCH 1/6] add bandir scan gh workflow --- .github/workflows/codeql.yml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a945de3..0083c06 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,12 +2,12 @@ name: "CodeQL" on: push: - branches: ["master"] + branches: ["master", "bandit"] pull_request: branches: ["master"] - schedule: + #schedule: # Run every Monday at midnight - - cron: "0 0 * * 1" + #- cron: "0 0 * * 1" permissions: contents: read @@ -90,3 +90,18 @@ jobs: with: sarif_file: rust/clippy.sarif wait-for-processing: true + + analyze_bandit: + name: Analyze (Bandit Scan) + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Perform Bandit Analysis + uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 From 6d92128c592826a9ce8daff8e1b7142c62fe4051 Mon Sep 17 00:00:00 2001 From: eparshut Date: Mon, 12 Jan 2026 15:00:56 +0100 Subject: [PATCH 2/6] save bandit report --- .github/workflows/codeql.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0083c06..caaf006 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -105,3 +105,11 @@ jobs: - name: Perform Bandit Analysis uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 + with: + python-version: "3.10" + + - name: Upload Bandit Artifact + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + with: + name: bandit-report + path: results.sarif From 5bc15fda0b40cf2e57dd4609f3aadff237c94427 Mon Sep 17 00:00:00 2001 From: eparshut Date: Mon, 12 Jan 2026 16:54:28 +0100 Subject: [PATCH 3/6] convert report to html --- .github/workflows/codeql.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index caaf006..fb74256 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -100,16 +100,20 @@ jobs: security-events: write steps: - - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Install dependencies + run: pip install sarif-tools - name: Perform Bandit Analysis uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 + continue-on-error: true with: - python-version: "3.10" + targets: "python" + + - name: Convert SARIF report to HTML + run: sarif html --output bandit-report.html results.sarif - name: Upload Bandit Artifact uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: bandit-report - path: results.sarif + path: bandit-report.html From 2434c26850fe9c2721574e965cf377eb7566409a Mon Sep 17 00:00:00 2001 From: eparshut Date: Mon, 12 Jan 2026 17:07:17 +0100 Subject: [PATCH 4/6] try to skip dependencies installation --- .github/workflows/codeql.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fb74256..d9e1504 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -100,9 +100,6 @@ jobs: security-events: write steps: - - name: Install dependencies - run: pip install sarif-tools - - name: Perform Bandit Analysis uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 continue-on-error: true From ca54ca88a7e64781ac77ddd12a316fd06057fdfb Mon Sep 17 00:00:00 2001 From: eparshut Date: Mon, 12 Jan 2026 17:11:42 +0100 Subject: [PATCH 5/6] revert dependencies installation --- .github/workflows/codeql.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d9e1504..34a90e5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -100,6 +100,9 @@ jobs: security-events: write steps: + - name: Install dependencies + run: pip install sarif-tools + - name: Perform Bandit Analysis uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 continue-on-error: true @@ -109,7 +112,7 @@ jobs: - name: Convert SARIF report to HTML run: sarif html --output bandit-report.html results.sarif - - name: Upload Bandit Artifact + - name: Upload Bandit Scan report uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: bandit-report From e66a01c95cb1975fcfee03b75cf2cf1b414c7ac8 Mon Sep 17 00:00:00 2001 From: eparshut Date: Mon, 12 Jan 2026 17:14:32 +0100 Subject: [PATCH 6/6] cleanup --- .github/workflows/codeql.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 34a90e5..90d8117 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,12 +2,12 @@ name: "CodeQL" on: push: - branches: ["master", "bandit"] + branches: ["master"] pull_request: branches: ["master"] - #schedule: + schedule: # Run every Monday at midnight - #- cron: "0 0 * * 1" + - cron: "0 0 * * 1" permissions: contents: read