| name: Bandit | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "40 13 * * 4" | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| bandit: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Install Bandit | |
| run: python -m pip install --upgrade bandit[toml] | |
| - name: Run Bandit | |
| run: | | |
| bandit -r . \ | |
| -f sarif \ | |
| -o bandit.sarif \ | |
| --exclude .git,__pycache__,.tox,.eggs,*.egg | |
| - name: Upload SARIF | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: bandit.sarif | |