From 831c027f5cfb27cf70d846a49315070ff26f3a3c Mon Sep 17 00:00:00 2001 From: Trayan Azarov Date: Tue, 12 Sep 2023 06:49:55 +0300 Subject: [PATCH] [SEC]: Bandit Scan (#1113) ## Description of changes *Summarize the changes made by this PR.* - Improvements & Bug fixes - Added bandit scanning for all pushes to repo ## Test plan *How are these changes tested?* Manual testing of the workflow ## Documentation Changes N/A - unless we want to start a separate security section in the main docs repo. --------- Co-authored-by: Hammad Bashir --- .github/actions/bandit-scan/Dockerfile | 7 ++++++ .github/actions/bandit-scan/action.yaml | 26 +++++++++++++++++++++ .github/actions/bandit-scan/entrypoint.sh | 13 +++++++++++ .github/workflows/python-vuln.yaml | 28 +++++++++++++++++++++++ bandit.yaml | 4 ++++ 5 files changed, 78 insertions(+) create mode 100644 .github/actions/bandit-scan/Dockerfile create mode 100644 .github/actions/bandit-scan/action.yaml create mode 100755 .github/actions/bandit-scan/entrypoint.sh create mode 100644 .github/workflows/python-vuln.yaml create mode 100644 bandit.yaml diff --git a/.github/actions/bandit-scan/Dockerfile b/.github/actions/bandit-scan/Dockerfile new file mode 100644 index 0000000..943f04f --- /dev/null +++ b/.github/actions/bandit-scan/Dockerfile @@ -0,0 +1,7 @@ +FROM python:3.10-alpine AS base-action + +RUN pip3 install -U setuptools pip bandit + +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +ENTRYPOINT ["sh","/entrypoint.sh"] diff --git a/.github/actions/bandit-scan/action.yaml b/.github/actions/bandit-scan/action.yaml new file mode 100644 index 0000000..e073545 --- /dev/null +++ b/.github/actions/bandit-scan/action.yaml @@ -0,0 +1,26 @@ +name: 'Bandit Scan' +description: 'This action performs a security vulnerability scan of python code using bandit library.' +inputs: + bandit-config: + description: 'Bandit configuration file' + required: false + input-dir: + description: 'Directory to scan' + required: false + default: '.' + format: + description: 'Output format (txt, csv, json, xml, yaml). Default: json' + required: false + default: 'json' + output-file: + description: "The report file to produce. Make sure to align your format with the file extension to avoid confusion." + required: false + default: "bandit-scan.json" +runs: + using: 'docker' + image: 'Dockerfile' + args: + - ${{ inputs.format }} + - ${{ inputs.bandit-config }} + - ${{ inputs.input-dir }} + - ${{ inputs.output-file }} diff --git a/.github/actions/bandit-scan/entrypoint.sh b/.github/actions/bandit-scan/entrypoint.sh new file mode 100755 index 0000000..f52dadd --- /dev/null +++ b/.github/actions/bandit-scan/entrypoint.sh @@ -0,0 +1,13 @@ +#!/bin/bash +CFG="-c $2" +if [ -z "$1" ]; then + echo "No path to scan provided" + exit 1 +fi + +if [ -z "$2" ]; then + CFG = "" +fi + +bandit -f "$1" ${CFG} -r "$3" -o "$4" +exit 0 #we want to ignore the exit code of bandit (for now) diff --git a/.github/workflows/python-vuln.yaml b/.github/workflows/python-vuln.yaml new file mode 100644 index 0000000..8e6c33a --- /dev/null +++ b/.github/workflows/python-vuln.yaml @@ -0,0 +1,28 @@ +name: Python Vulnerability Scan +on: + push: + branches: + - '*' + - '*/**' + paths: + - chromadb/** + - clients/python/** + workflow_dispatch: +jobs: + bandit-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - uses: ./.github/actions/bandit-scan/ + with: + input-dir: '.' + format: 'json' + bandit-config: 'bandit.yaml' + output-file: 'bandit-report.json' + - name: Upload Bandit Report + uses: actions/upload-artifact@v3 + with: + name: bandit-artifact + path: | + bandit-report.json diff --git a/bandit.yaml b/bandit.yaml new file mode 100644 index 0000000..9a93633 --- /dev/null +++ b/bandit.yaml @@ -0,0 +1,4 @@ +# FILE: bandit.yaml +exclude_dirs: [ 'chromadb/test', 'bin', 'build', 'build', '.git', '.venv', 'venv', 'env','.github','examples','clients/js','.vscode' ] +tests: [ ] +skips: [ ]