From 73867c5931909bfb01fc158c91b7c233438fbd2d Mon Sep 17 00:00:00 2001 From: belly-rewardz Date: Fri, 23 Jan 2026 15:38:11 +0700 Subject: [PATCH 1/6] fix: Change bandit output format to SARIF for security scan --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8a4a634..24afad5 100644 --- a/Makefile +++ b/Makefile @@ -410,7 +410,7 @@ ci-build: clean ci-security: @echo "$(GREEN)Running security scan (CI mode)...$(NC)" @$(PIP) install bandit safety 2>/dev/null || true - @bandit -r $(SRC_DIR)/ -f json -o bandit-results.json -ll || true + @bandit -r $(SRC_DIR)/ -f sarif -o bandit-results.json -ll || true @safety check --json > safety-results.json 2>/dev/null || true @echo "$(GREEN)Security scan complete$(NC)" From 57ff4e18a4133a194aad81bd9d32c51c698df229 Mon Sep 17 00:00:00 2001 From: bellyliu Date: Fri, 23 Jan 2026 15:48:15 +0700 Subject: [PATCH 2/6] Revert "fix: Change bandit output format to SARIF for security scan" This reverts commit 73867c5931909bfb01fc158c91b7c233438fbd2d. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 24afad5..8a4a634 100644 --- a/Makefile +++ b/Makefile @@ -410,7 +410,7 @@ ci-build: clean ci-security: @echo "$(GREEN)Running security scan (CI mode)...$(NC)" @$(PIP) install bandit safety 2>/dev/null || true - @bandit -r $(SRC_DIR)/ -f sarif -o bandit-results.json -ll || true + @bandit -r $(SRC_DIR)/ -f json -o bandit-results.json -ll || true @safety check --json > safety-results.json 2>/dev/null || true @echo "$(GREEN)Security scan complete$(NC)" From 85b45559271fb58c85084146adb4f1c264036f2a Mon Sep 17 00:00:00 2001 From: bellyliu Date: Fri, 23 Jan 2026 15:51:20 +0700 Subject: [PATCH 3/6] fix: Change bandit output format to SARIF for security scan --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8a4a634..24afad5 100644 --- a/Makefile +++ b/Makefile @@ -410,7 +410,7 @@ ci-build: clean ci-security: @echo "$(GREEN)Running security scan (CI mode)...$(NC)" @$(PIP) install bandit safety 2>/dev/null || true - @bandit -r $(SRC_DIR)/ -f json -o bandit-results.json -ll || true + @bandit -r $(SRC_DIR)/ -f sarif -o bandit-results.json -ll || true @safety check --json > safety-results.json 2>/dev/null || true @echo "$(GREEN)Security scan complete$(NC)" From 3294d37bbb958f28b34891a25c60fce4b2542934 Mon Sep 17 00:00:00 2001 From: bellyliu Date: Fri, 23 Jan 2026 16:01:37 +0700 Subject: [PATCH 4/6] fix: Update bandit output format to SARIF and install necessary formatter --- .github/workflows/ci.yml | 2 +- Makefile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 323caac..5a7b193 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -297,7 +297,7 @@ jobs: uses: github/codeql-action/upload-sarif@v4 if: always() with: - sarif_file: bandit-results.json + sarif_file: bandit-results.sarif continue-on-error: true # =========================================================================== diff --git a/Makefile b/Makefile index 24afad5..b418fe8 100644 --- a/Makefile +++ b/Makefile @@ -409,8 +409,8 @@ ci-build: clean ## CI: Security scan ci-security: @echo "$(GREEN)Running security scan (CI mode)...$(NC)" - @$(PIP) install bandit safety 2>/dev/null || true - @bandit -r $(SRC_DIR)/ -f sarif -o bandit-results.json -ll || true + @$(PIP) install bandit bandit-sarif-formatter safety 2>/dev/null || true + @bandit -r $(SRC_DIR)/ --format sarif --output bandit-results.sarif -ll || true @safety check --json > safety-results.json 2>/dev/null || true @echo "$(GREEN)Security scan complete$(NC)" From 91b7b95ce487d6738c03cbf78074bc332e294357 Mon Sep 17 00:00:00 2001 From: bellyliu Date: Fri, 23 Jan 2026 16:52:35 +0700 Subject: [PATCH 5/6] test: Show all severy level from bandit scan --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b418fe8..29de8f2 100644 --- a/Makefile +++ b/Makefile @@ -410,7 +410,7 @@ ci-build: clean ci-security: @echo "$(GREEN)Running security scan (CI mode)...$(NC)" @$(PIP) install bandit bandit-sarif-formatter safety 2>/dev/null || true - @bandit -r $(SRC_DIR)/ --format sarif --output bandit-results.sarif -ll || true + @bandit -r $(SRC_DIR)/ --format sarif --output bandit-results.sarif || true @safety check --json > safety-results.json 2>/dev/null || true @echo "$(GREEN)Security scan complete$(NC)" From 245fcede8f06a27f9ca2ff92337d207694b02a28 Mon Sep 17 00:00:00 2001 From: bellyliu Date: Fri, 23 Jan 2026 16:59:43 +0700 Subject: [PATCH 6/6] revert: Adjust bandit scan result to show medium and high severity only --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 29de8f2..b418fe8 100644 --- a/Makefile +++ b/Makefile @@ -410,7 +410,7 @@ ci-build: clean ci-security: @echo "$(GREEN)Running security scan (CI mode)...$(NC)" @$(PIP) install bandit bandit-sarif-formatter safety 2>/dev/null || true - @bandit -r $(SRC_DIR)/ --format sarif --output bandit-results.sarif || true + @bandit -r $(SRC_DIR)/ --format sarif --output bandit-results.sarif -ll || true @safety check --json > safety-results.json 2>/dev/null || true @echo "$(GREEN)Security scan complete$(NC)"