feat: enhance Bandit security check to enforce HIGH severity issue detection

2026-01-22 11:20:46 +01:00
parent bea9489a12
commit dcfdb23b0c
1 changed files with 9 additions and 1 deletions
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -30,8 +30,16 @@ jobs:

      - name: Bandit security check
        run: |
-          bandit -r src/ -f json -o bandit-report.json || true
+          bandit -r src/ -f json -o bandit-report.json
          bandit -r src/ -f txt
+          
+          # Check for HIGH severity issues only
+          HIGH_COUNT=$(python3 -c "import json; data=json.load(open('bandit-report.json')); print(len([i for i in data['results'] if i['severity'] == 'HIGH']))")
+          if [ "$HIGH_COUNT" -gt 0 ]; then
+            echo "Found $HIGH_COUNT HIGH severity security issues"
+            exit 1
+          fi
+          echo "No HIGH severity security issues found (LOW/MEDIUM are acceptable)"

      - name: Safety check for dependencies
        run: safety check --json || true