CodeMCP/.github/workflows/security-sast-python.yml at 49b7c22ec79aa16472fb0ec39c7a73284b44e064 · SimplyLiz/CodeMCP · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
name: Python SAST (Bandit)

on:
  workflow_call:
    inputs:
      exclude_dirs:
        description: 'Comma-separated directories to exclude'
        type: string
        default: 'tests,test,venv,.venv'
      skip_tests:
        description: 'Comma-separated Bandit test IDs to skip (e.g., B101,B601)'
        type: string
        default: ''
      severity_threshold:
        description: 'Minimum severity to report (low, medium, high)'
        type: string
        default: 'low'
    outputs:
      findings:
        description: 'Total Bandit findings'
        value: ${{ jobs.bandit.outputs.findings }}
      high:
        description: 'HIGH severity findings'
        value: ${{ jobs.bandit.outputs.high }}
      medium:
        description: 'MEDIUM severity findings'
        value: ${{ jobs.bandit.outputs.medium }}
      low:
        description: 'LOW severity findings'
        value: ${{ jobs.bandit.outputs.low }}

jobs:
  bandit:
    name: Bandit Security Scan
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
      security-events: write
    outputs:
      findings: ${{ steps.scan.outputs.findings }}
      high: ${{ steps.scan.outputs.high }}
      medium: ${{ steps.scan.outputs.medium }}
      low: ${{ steps.scan.outputs.low }}
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: '3.x'

      - name: Install Bandit
        run: pip install bandit bandit-sarif-formatter

      - name: Run Bandit
        id: scan
        env:
          EXCLUDE_DIRS_INPUT: ${{ inputs.exclude_dirs }}
          SKIP_TESTS_INPUT: ${{ inputs.skip_tests }}
          SEVERITY_INPUT: ${{ inputs.severity_threshold }}
        run: |
          echo "::group::Bandit Security Scan"

          # Build exclude argument
          EXCLUDE_ARG=""
          if [ -n "$EXCLUDE_DIRS_INPUT" ]; then
            EXCLUDE_ARG="--exclude $EXCLUDE_DIRS_INPUT"
          fi

          # Build skip tests argument
          SKIP_ARG=""
          if [ -n "$SKIP_TESTS_INPUT" ]; then
            SKIP_ARG="--skip $SKIP_TESTS_INPUT"
          fi

          # Severity filter
          SEVERITY_ARG=""
          case "$SEVERITY_INPUT" in
            high)   SEVERITY_ARG="-lll" ;;
            medium) SEVERITY_ARG="-ll" ;;
            low)    SEVERITY_ARG="-l" ;;
          esac

          # Run Bandit with JSON output
          bandit -r . -f json -o bandit.json \
            $EXCLUDE_ARG $SKIP_ARG $SEVERITY_ARG \
            --confidence-level medium \
            || true

          # Run Bandit with SARIF output
          bandit -r . -f sarif -o bandit.sarif \
            $EXCLUDE_ARG $SKIP_ARG $SEVERITY_ARG \
            --confidence-level medium \
            || true

          # Parse results
          if [ -f bandit.json ]; then
            FINDINGS=$(jq '.results | length' bandit.json 2>/dev/null || echo "0")
            HIGH=$(jq '[.results[]? | select(.issue_severity == "HIGH")] | length' bandit.json 2>/dev/null || echo "0")
            MEDIUM=$(jq '[.results[]? | select(.issue_severity == "MEDIUM")] | length' bandit.json 2>/dev/null || echo "0")
            LOW=$(jq '[.results[]? | select(.issue_severity == "LOW")] | length' bandit.json 2>/dev/null || echo "0")

            echo "findings=$FINDINGS" >> $GITHUB_OUTPUT
            echo "high=$HIGH" >> $GITHUB_OUTPUT
            echo "medium=$MEDIUM" >> $GITHUB_OUTPUT
            echo "low=$LOW" >> $GITHUB_OUTPUT

            # Warnings for severity levels
            if [ "$HIGH" -gt 0 ]; then
              echo "::error::$HIGH HIGH severity Bandit finding(s)"
            fi
            if [ "$MEDIUM" -gt 0 ]; then
              echo "::warning::$MEDIUM MEDIUM severity Bandit finding(s)"
            fi
          else
            echo "findings=0" >> $GITHUB_OUTPUT
            echo "high=0" >> $GITHUB_OUTPUT
            echo "medium=0" >> $GITHUB_OUTPUT
            echo "low=0" >> $GITHUB_OUTPUT
          fi

          echo "::endgroup::"

          # Write summary
          echo "### Bandit Results" >> $GITHUB_STEP_SUMMARY
          echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
          echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| HIGH | $HIGH |" >> $GITHUB_STEP_SUMMARY
          echo "| MEDIUM | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
          echo "| LOW | $LOW |" >> $GITHUB_STEP_SUMMARY
          echo "| **Total** | **$FINDINGS** |" >> $GITHUB_STEP_SUMMARY

      - name: Upload SARIF
        if: hashFiles('bandit.sarif') != ''
        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
        with:
          sarif_file: bandit.sarif
          category: bandit
        continue-on-error: true

      - name: Upload artifacts
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: bandit-results
          path: |
            bandit.json
            bandit.sarif
          retention-days: 30
          if-no-files-found: ignore