From 745579d2355ae311e36bb4b3662b471154aa200c Mon Sep 17 00:00:00 2001
From: Sumanth Lingappa <sumanth.lingappa@cloud.com>
Date: Mon, 8 Apr 2024 14:02:19 +0530
Subject: [PATCH] integrated bandit output to github-codeql

Signed-off-by: Sumanth Lingappa <sumanth.lingappa@cloud.com>
---
 .github/workflows/bandit.yml | 53 ++++++------------------------------
 1 file changed, 9 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
index 32de9a54d..c9f598ea4 100644
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@@ -22,58 +22,23 @@ jobs:
         with:
           python-version: '3.x'
 
-      - name: Find Pull Request
-        id: find-pull-request
-        uses: jwalton/gh-find-current-pr@v1
-        with:
-          # Can be "open", "closed", or "all".  Defaults to "open".
-          state: open
-          #   - name: Find Comment
-          #     uses: peter-evans/find-comment@v2
-          #     id: fc
-          #     with:
-          #       issue-number: ${{ steps.find-pull-request.outputs.number }}
-          #       comment-author: 'github-actions[bot]'
-          #       body-includes: Bandit found some security issues in your code.
-          #   - name: Delete previous comment
-          #     if: steps.fc.outputs.comment-id != ''
-          #     uses: actions/github-script@v6
-          #     with:
-          #       script: |
-          #         github.rest.issues.deleteComment({
-          #           owner: context.repo.owner,
-          #           repo: context.repo.repo,
-          #           comment_id: ${{ steps.fc.outputs.comment-id }}
-          #         })
-      - name: Install Bandit
-        run: pip install bandit
+      - name: Install Bandit with Sarif extras
+        run: pip install "bandit[sarif]"
+
       - name: Run Bandit
         id: bandit
         continue-on-error: true
         run: |
           set +e
           set +x
-          bandit -r . -f csv -o bandit-output.csv
+          bandit -r . -f sarif -o bandit-output.sarif
           echo "exit_code=$?" >> $GITHUB_OUTPUT
-          OUTPUT=$(cat bandit-output.csv)
-          cat bandit-output.csv
-          echo "report<<EOF"$'\n'"$OUTPUT"$'\n'EOF >> $GITHUB_OUTPUT
-      - name: Convert CSV to Markdown
-        if: steps.bandit.outputs.exit_code != 0
-        uses: petems/csv-to-md-table-action@master
-        id: csv-table-output
-        with:
-          csvinput: ${{ steps.bandit.outputs.report }}
-      - name: Create comment
-        if: steps.bandit.outputs.exit_code != 0
-        id: create-comment
-        uses: peter-evans/create-or-update-comment@v4
+          cat bandit-output.sarif
+
+      - name: Upload Bandit scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          issue-number: ${{ steps.find-pull-request.outputs.number }}
-          body: |
-            Bandit found some security issues in your code. Please fix them to ensure the security of your code.
-            ${{steps.csv-table-output.outputs.markdown-table}}
-          reactions: rocket
+          sarif_file: "bandit-output.sarif"
 
       - name: Fail if Bandit run had errors
         if: steps.bandit.outputs.exit_code != 0