1010jobs :
1111 bandit :
1212 runs-on : ubuntu-latest
13+ permissions :
14+ contents : read
15+ security-events : write # needed for SARIF upload
1316 steps :
1417 - uses : actions/checkout@v4
1518
@@ -20,27 +23,30 @@ jobs:
2023 - name : Install Bandit
2124 run : python -m pip install --upgrade pip bandit
2225
23- # 1) Generate a full report (never fails the job) so you can review details
24- - name : Bandit full report (non-blocking)
26+ # Full report for triage (non-blocking), goes to the Security tab
27+ - name : Bandit SARIF (non-blocking)
2528 run : |
2629 bandit -r . \
2730 -x tests,venv,.venv,build,dist,__pycache__,.github \
28- -s B101,B404 \
29- -f txt -o bandit.txt || true
31+ -f sarif -o bandit.sarif || true
3032
31- # 2) Gate on HIGH severity + HIGH confidence only (job fails if any)
32- - name : Bandit gate (HIGH/HIGH only)
33+ name : Upload SARIF to code scanning
34+ if : always()
35+ uses : github/codeql-action/upload-sarif@v3
36+ with :
37+ sarif_file : bandit.sarif
38+ category : bandit
39+
40+ # Gate 1: fail on ANY High severity (even if confidence is low)
41+ - name : Bandit gate — HIGH severity (any confidence)
3342 run : |
3443 bandit -q -r . \
3544 -x tests,venv,.venv,build,dist,__pycache__,.github \
36- -s B101,B404 \
37- --severity-level high --confidence-level high
45+ --severity-level high --confidence-level low
3846
39- name : Upload Bandit report
40- if : always()
41- uses : actions/upload-artifact@v4
42- with :
43- name : bandit-report
44- path : bandit.txt
45- if-no-files-found : warn
46- retention-days : 7
47+ # Gate 2: fail on Medium/High with HIGH confidence
48+ - name : Bandit gate — MEDIUM+ with HIGH confidence
49+ run : |
50+ bandit -q -r . \
51+ -x tests,venv,.venv,build,dist,__pycache__,.github \
52+ --severity-level medium --confidence-level high
0 commit comments