feat(bandit): Add Bandit (#108)

* Fix Python version and install Bandit * Add Bandit --------- Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: github-actions <github-actions@github.com>
awslabs · Nov 16, 2023 · 4ce992e · 4ce992e
1 parent 5285638
commit 4ce992e
Show file tree

Hide file tree

Showing 6 changed files with 141 additions and 0 deletions.
diff --git a/.gitattributes b/.gitattributes
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
diff --git a/.gitignore b/.gitignore
diff --git a/.projen/files.json b/.projen/files.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -19,6 +19,7 @@ import {
   buildAutoApproveWorkflow,
   buildOrtToolkitWorkflow,
   runSemGrepWorkflow,
+  runBanditWorkflow,
 } from './projenrc/github-workflows';
 
 // Constants
@@ -94,6 +95,27 @@ buildUpdateContributorsWorkflow(project);
 buildAutoApproveWorkflow(project);
 buildOrtToolkitWorkflow(project);
 runSemGrepWorkflow(project);
+runBanditWorkflow(project);
+
+// Add specific overrides https://projen.io/github.html#actions-versions
+project.github?.actions.set('actions/checkout@v3', 'actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744');
+project.github?.actions.set('actions/download-artifact@v3', 'actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a');
+project.github?.actions.set('actions/github-script@v6', 'actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410');
+project.github?.actions.set('actions/setup-node@v3', 'actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7');
+project.github?.actions.set('actions/setup-python@v4', 'actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236');
+project.github?.actions.set('actions/stale@v4', 'actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da');
+project.github?.actions.set('actions/upload-artifact@v3', 'actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32');
+project.github?.actions.set('amannn/action-semantic-pull-request@v5.0.2', 'amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb');
+project.github?.actions.set('aws-github-ops/github-merit-badger@main', 'aws-github-ops/github-merit-badger@70d1c47f7051d6e324d4ddc48d676ba61ef69a3e');
+project.github?.actions.set('codecov/codecov-action@v3', 'codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d');
+project.github?.actions.set('github/issue-metrics@v2', 'github/issue-metrics@6bc5254e72971dbb7462db077779f1643f772afd');
+project.github?.actions.set('hmarr/auto-approve-action@v3.2.1', 'hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4');
+project.github?.actions.set('minicli/action-contributors@v3.3', 'minicli/action-contributors@20ec03af008cb51110a3137fbf77f59a4fd7ff5a');
+project.github?.actions.set('oss-review-toolkit/ort-ci-github-action@v1', 'oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e');
+project.github?.actions.set('peter-evans/create-issue-from-file@v4', 'peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f');
+project.github?.actions.set('peter-evans/create-pull-request@v4', 'peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54');
+project.github?.actions.set('peter-evans/create-pull-request@v5', 'peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38');
+
 
 // Add specific overrides https://projen.io/github.html#actions-versions
 project.github?.actions.set('actions/checkout@v3', 'actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744');

diff --git a/projenrc/github-workflows.ts b/projenrc/github-workflows.ts
@@ -350,3 +350,83 @@ export function runSemGrepWorkflow(project: AwsCdkConstructLibrary) {
     }
   }
 }
+
+/**
+ * https://github.com/mdegis/bandit-action
+ * Runs Bandit on the repository.
+ * @param project AwsCdkConstructLibrary
+ */
+export function runBanditWorkflow(project: AwsCdkConstructLibrary) {
+  const bandit: Job = {
+    name: 'bandit/ci',
+    runsOn: ['ubuntu-latest'],
+    // container: {
+    //   image: 'returntocorp/semgrep',
+    // },
+    permissions: {
+      contents: JobPermission.READ,
+      pullRequests: JobPermission.READ,
+      securityEvents: JobPermission.WRITE,
+      actions: JobPermission.READ,
+    },
+    if: "(github.actor != 'dependabot[bot]')",
+
+    steps: [
+      {
+        name: 'Checkout project',
+        uses: 'actions/checkout@v3',
+      },
+      {
+        name: 'Setup Python',
+        uses: 'actions/setup-python@v4',
+        with: {
+          'python-version': '3.x',
+        },
+        run: 'python -m pip install bandit',
+      },
+      {
+        name: 'Run Bandit',
+        run: 'bandit --recursive --format html --output bandit-report.html .',
+      },
+      {
+        name: 'Store Bandit as Artifact',
+        uses: 'actions/upload-artifact@v3',
+        with: {
+          name: 'bandit-report.html',
+          path: 'bandit-report.html',
+        },
+      },
+      // `awslabs` has the Advanced Security disabled.
+      // {
+      //   name: 'Upload SARIF file for GitHub Advanced Security Dashboard',
+      //   uses: 'github/codeql-action/upload-sarif@v2',
+      //   with: {
+      //     sarif_file: 'semgrep.sarif',
+      //   },
+      //   if: 'always()',
+      // },
+    ],
+  };
+
+  if (project.github) {
+    const workflow = project.github.addWorkflow('bandit');
+    if (workflow) {
+      workflow.on({
+        pullRequest: {},
+        workflowDispatch: {
+        },
+        push: {
+          branches: [
+            'main',
+          ],
+        },
+        schedule: [
+          { cron: '20 17 * * *' },
+        ],
+      });
+      workflow.addJobs({
+        bandit: bandit,
+      });
+    }
+  }
+}