Malin/krawl.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update Bandit security check to use txt output and improve HIGH severity detection

Browse Source
This commit is contained in:
Lorenzo Venerandi
2026-01-22 11:24:41 +01:00
parent 28a8880c0a
commit 9b74a7844d
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/security-scan.yml vendored
View File

@@ -30,16 +30,21 @@ jobs:
- name: Bandit security check
run: |
bandit -r src/ -f json -o bandit-report.json || true
bandit -r src/ -f txt || true
bandit -r src/ -f txt | tee bandit-report.txt
# Extract HIGH severity (not confidence) - look for the severity section
SEVERITY_SECTION=$(sed -n '/Total issues (by severity):/,/Total issues (by confidence):/p' bandit-report.txt)
HIGH_COUNT=$(echo "$SEVERITY_SECTION" | grep "High:" | grep -o "[0-9]*" | head -1)
if [ -z "$HIGH_COUNT" ]; then
HIGH_COUNT=0
fi
# Check for HIGH severity issues only
HIGH_COUNT=$(python3 -c "import json; data=json.load(open('bandit-report.json')); print(len([i for i in data['results'] if i['severity'] == 'HIGH']))")
if [ "$HIGH_COUNT" -gt 0 ]; then
echo "Found $HIGH_COUNT HIGH severity security issues"
exit 1
fi
echo "No HIGH severity security issues found (LOW/MEDIUM are acceptable)"
echo "No HIGH severity security issues found"
- name: Safety check for dependencies
run: safety check --json || true