Add bandit SAST check [RHELDST-18795]

Added SAST check for this repository.
rbikar · Apr 11, 2024 · cdfac67 · cdfac67
1 parent 5b57dc6
commit cdfac67
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/.github/workflows/tox-test.yml b/.github/workflows/tox-test.yml
@@ -59,3 +59,27 @@ jobs:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true
           verbose: true
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install Tox
+        run: pip install tox
+      - name: Run Tox
+        run: tox -e bandit
+  bandit-exitzero:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install Tox
+        run: pip install tox
+      - name: Run Tox
+        run: tox -e bandit-exitzero
diff --git a/tox.ini b/tox.ini
@@ -50,3 +50,17 @@ max-line-length = 100
 
 [pep8]
 max-line-length = 100
+
+[testenv:bandit-exitzero]
+deps=
+	bandit
+commands=
+    # Skip B101 low severity assert warnings in the tests directory
+    bandit -r ./tests --severity-level low --exit-zero --skip B101
+    bandit -r . -l --exclude './.tox,./tests' --exit-zero
+
+[testenv:bandit]
+deps=
+	bandit
+commands=
+    bandit -r . -ll --exclude './.tox' --confidence-level medium