From 513be56acb93555ff9b1b4705882a28b0ff7af74 Mon Sep 17 00:00:00 2001 From: Keith Kraus Date: Tue, 15 Apr 2025 10:46:40 -0400 Subject: [PATCH 1/6] Add CodeQL and Bandit Static Analysis Scans --- .github/workflows/bandit.yml | 16 ++++++++++++++++ .github/workflows/codeql.yml | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 .github/workflows/bandit.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 0000000000..2fe6190b0e --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,16 @@ +name: "Static Analysis: Bandit Scan" + +on: + push: + branches: + - "pull-request/[0-9]+" + - "main" + +jobs: + analyze: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Perform Bandit Analysis + uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de # v1.0.0 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..13cc6ae7db --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,36 @@ +name: "Static Analysis: CodeQL Scan" + +on: + push: + branches: + - "pull-request/[0-9]+" + - "main" + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-extended + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From b08572dd9e3fee9315779fe4f06ad5ea1a6862e6 Mon Sep 17 00:00:00 2001 From: Keith Kraus Date: Wed, 16 Apr 2025 15:15:36 -0400 Subject: [PATCH 2/6] Add concurrency groups and cancel in progress Co-authored-by: Marcus D. Hanwell --- .github/workflows/bandit.yml | 3 +++ .github/workflows/codeql.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 2fe6190b0e..b1897d5cc5 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -5,6 +5,9 @@ on: branches: - "pull-request/[0-9]+" - "main" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: true jobs: analyze: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 13cc6ae7db..27fa8b12cf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -5,6 +5,9 @@ on: branches: - "pull-request/[0-9]+" - "main" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: true jobs: analyze: From 67cd71a7a62486f5c6d2f5ad7665b2855b6a1eb2 Mon Sep 17 00:00:00 2001 From: Keith Kraus Date: Thu, 17 Apr 2025 09:54:37 -0400 Subject: [PATCH 3/6] Add bandit to pre-commit --- .pre-commit-config.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 78d07f1dd8..f51b2e68ff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,11 +11,15 @@ ci: repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.11.4 + rev: 971923581912ef60a6b70dbf0c3e9a39563c9d47 #v0.11.4 hooks: - id: ruff args: [--fix, --show-fixes] - id: ruff-format + - repo: https://github.com/PyCQA/bandit + rev: 8ff25e07e487f143571cc305e56dd0253c60bc7b #v1.8.3 + hooks: + - id: bandit default_language_version: python: python3 From 0c2458ba8d488c52925b1d9aa3506fd112c1bd36 Mon Sep 17 00:00:00 2001 From: Keith Kraus Date: Thu, 17 Apr 2025 09:59:06 -0400 Subject: [PATCH 4/6] Change CodeQL workflow to only be manually triggered for now --- .github/workflows/codeql.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 27fa8b12cf..42ae3ef30f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,10 +1,7 @@ name: "Static Analysis: CodeQL Scan" -on: - push: - branches: - - "pull-request/[0-9]+" - - "main" +on: workflow_dispatch + concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: true From 95238cffa6cb46d459d1dacc83129421a98f5099 Mon Sep 17 00:00:00 2001 From: Keith Kraus Date: Thu, 17 Apr 2025 10:07:43 -0400 Subject: [PATCH 5/6] skip bandit on pre-commit.ci --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f51b2e68ff..185a365e3b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,7 +6,7 @@ ci: autoupdate_branch: '' autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate' autoupdate_schedule: quarterly - skip: [] + skip: [bandit] submodules: false repos: From 4d7632c7f57b81bec91230c21430dd37bd3ea820 Mon Sep 17 00:00:00 2001 From: Keith Kraus Date: Mon, 21 Apr 2025 13:36:06 -0400 Subject: [PATCH 6/6] Revert "Change CodeQL workflow to only be manually triggered for now" This reverts commit c529e5f7b848e7ab6076c62708c7666027e29b4e. --- .github/workflows/codeql.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 42ae3ef30f..27fa8b12cf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,7 +1,10 @@ name: "Static Analysis: CodeQL Scan" -on: workflow_dispatch - +on: + push: + branches: + - "pull-request/[0-9]+" + - "main" concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} cancel-in-progress: true