Skip to content

Commit

Permalink
Merge pull request #56 from uclahs-cds/aholmes-sast
Browse files Browse the repository at this point in the history 
Add SAST scanner
  • Loading branch information
@aholmes
aholmes authored Mar 27, 2024
2 parents c567923 + 8d53023 commit c56b1c7
Show file tree
Hide file tree
Showing 3 changed files with 146 additions and 75 deletions.
102 changes: 72 additions & 30 deletions .github/workflows/CICD.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ jobs:
outputs:
cache-key-dependencies: ${{ steps.generate-cache-keys.outputs.cache_key }}
cache-key-run: ${{ steps.generate-cache-keys.outputs.cache_key_run }}
python-version: ${{ steps.install-python.outputs.python-version }}

env:
PYTHON_VERSION: "3.10"
Expand All @@ -61,21 +62,10 @@ jobs:
echo "cache_key_dependencies=$cache_key_dependencies" >> $GITHUB_OUTPUT
echo "cache_key_run=$cache_key_run" >> $GITHUB_OUTPUT
#- name: Restore dependency cache
# if: ${{ success() && (github.event_name != 'workflow_dispatch' || inputs.use_dependency_cache == 'true') }}
# TODO figure out a way to get 3rd party dependencies cached without caching BL_Python ... maybe.
# uses: actions/cache/restore@v4
# id: restore-dependency-cache
# with:
# path: |
# .github-venv
# node_modules
# key: ${{ steps.generate-cache-keys.outputs.cache_key_dependencies }}

- name: Set up Python ${{ env.PYTHON_VERSION }}
- name: Set up Python ${{ steps.generate-cache-keys.outputs.python-version }}
#if: ${{ success() && (inputs.use_dependency_cache == 'false' || !steps.restore-dependency-cache.outputs.cache-hit) }}
uses: actions/setup-python@v5
id: install_python
id: install-python
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand All @@ -90,17 +80,6 @@ jobs:
echo 'prefix=${{ github.workspace }}/node_modules' >> ~/.npmrc
npm install -g pyright@`pyright --version | awk '{print $2}'`
# TODO see note above about 3rd party dependencies.
#- name: Save dependency cache
# if: ${{ success() && !steps.restore-dependency-cache.outputs.cache-hit }}
# uses: actions/cache/save@v4
# id: save-dependency-cache
# with:
# path: |
# .github-venv
# node_modules
# key: ${{ steps.generate-cache-keys.outputs.cache_key_dependencies }}

- name: Save run cache
uses: actions/cache/save@v4
id: save-run-cache
Expand All @@ -115,14 +94,14 @@ jobs:
- Checkout

env:
PYTHON_VERSION: "3.10"
PYTHON_VERSION: ${{ needs.Checkout.outputs.python-version }}

if: ${{( success() && !cancelled() ) }}

steps:
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
id: install_python
id: install-python
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand All @@ -140,6 +119,7 @@ jobs:
VENV=.github-venv \
PYRIGHT_MODE=npm \
DEFAULT_TARGET=cicd \
make test-pyright
Pytest:
Expand All @@ -149,14 +129,14 @@ jobs:
- Checkout

env:
PYTHON_VERSION: "3.10"
PYTHON_VERSION: ${{ needs.Checkout.outputs.python-version }}

if: ${{( success() && !cancelled() ) }}

steps:
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
id: install_python
id: install-python
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand All @@ -174,6 +154,7 @@ jobs:
VENV=.github-venv \
PYTEST_FLAGS="-k 'not acceptance'" \
DEFAULT_TARGET=cicd \
make test-pytest
- name: Output pytest report
Expand All @@ -189,21 +170,79 @@ jobs:
retention-days: 1
if-no-files-found: error

Bandit:
name: SAST scanning
runs-on: ubuntu-latest
needs:
- Checkout

env:
PYTHON_VERSION: ${{ needs.Checkout.outputs.python-version }}

if: ${{( success() && !cancelled() ) }}

# FIXME Ignore errors while testing Bandit
continue-on-error: true

steps:
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
id: install-python
with:
python-version: ${{ env.PYTHON_VERSION }}

- uses: actions/cache/restore@v4
name: Restore run cache
id: restore-run-cache
with:
key: ${{ needs.Checkout.outputs.cache-key-run }}
path: ${{ github.workspace }}
fail-on-cache-miss: true

- name: Run bandit scan and generate reports
run: |
echo Running bandit
VENV=.github-venv \
DEFAULT_TARGET=cicd \
make test-bandit || BANDIT_EXIT_CODE=$?
echo "Bandit exit code: $BANDIT_EXIT_CODE"
if [ $BANDIT_EXIT_CODE -ne 0 ]; then
echo "::warning title=Bandit::Bandit exit code: $BANDIT_EXIT_CODE"
fi
- name: Output bandit report artifact
uses: actions/upload-artifact@v4
if: ${{ always() }}
with:
name: bandit-sast-report
path: |
bandit.sarif
retention-days: 1
if-no-files-found: error

- name: Upload bandit report to CodeQL
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: bandit.sarif

Style:
name: Style and formatting
runs-on: ubuntu-latest
needs:
- Checkout

env:
PYTHON_VERSION: "3.10"
PYTHON_VERSION: ${{ needs.Checkout.outputs.python-version }}

if: ${{( success() && !cancelled() ) }}

steps:
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
id: install_python
id: install-python
with:
python-version: ${{ env.PYTHON_VERSION }}

Expand All @@ -218,11 +257,13 @@ jobs:
- name: Check code style
run: |
VENV=.github-venv \
DEFAULT_TARGET=cicd \
make test-ruff
- name: Check import order
run: |
VENV=.github-venv \
DEFAULT_TARGET=cicd \
make test-isort
Final-status-check:
Expand All @@ -232,6 +273,7 @@ jobs:
- Checkout
- Pyright
- Pytest
- Bandit
- Style
# this job should run regardless of success, failure, or skips,
# but not if the workflow is cancelled. `always()` ignores cancelled,
Expand Down
Loading

0 comments on commit c56b1c7

Please sign in to comment.