ansible-collection-netscaleradc/.github/workflows/bandit.yml at main · netscaler/ansible-collection-netscaleradc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
name: Bandit Security Check
on:
  workflow_dispatch:
  pull_request:
  push:
    branches:
      - main
permissions: read-all
jobs:
  bandit-check:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
        with:
          python-version: '3.x'

      - name: Install Bandit with Sarif extras
        run: pip install "bandit[sarif]"

      - name: Run Bandit
        id: bandit
        continue-on-error: true
        run: |
          set +e
          set +x
          bandit -r . -f sarif -o bandit-output.sarif
          echo "exit_code=$?" >> $GITHUB_OUTPUT
          cat bandit-output.sarif

      - name: Upload Bandit scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1  # v4
        with:
          sarif_file: "bandit-output.sarif"

      - name: Fail if Bandit run had errors
        if: steps.bandit.outputs.exit_code != 0
        run: exit 1