Merge pull request #40 from harvard-lts/sast-scan-python

Create sast-scan-python.yml
harvard-lts · Mar 25, 2024 · 5066a90 · 5066a90
2 parents b74489e + d06322b
commit 5066a90
Showing 1 changed file with 47 additions and 0 deletions.
diff --git a/.github/workflows/sast-scan-python.yml b/.github/workflows/sast-scan-python.yml
@@ -0,0 +1,47 @@
+name: SAST Scan Python
+
+# This workflow is triggered whenever a new PR is created on the main branch or there a push to the branch
+# This is a SAST workflow for PYTHON projects
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+jobs:
+  sast_scan:
+    strategy:
+      matrix:
+        # Only certain versions supported Ref; https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json
+        version: [ 3.10.14,3.11.8,3.12.2 ]
+    name: Run Bandit Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{matrix.version}}
+
+      - name: Use Node.js 20.x
+        uses: actions/[email protected]
+        with:
+          node-version: 20.x
+
+      - name: Install Bandit
+        run: pip install bandit
+
+      - name: Run Bandit Scan
+        run: bandit -ll -ii -r . -f json -o bandit-report.json
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v1
+        if: always()
+        with:
+          name: bandit-findings
+          path: bandit-report.json