diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index ff2aad459d..b2cb1eb041 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -16,11 +16,10 @@ jobs: uses: actions/setup-python@v4 with: python-version: 3.8 - - name: Run checks - run: | - pip install --user -r tests/requirements-linters.txt - echo "Bandit version: "`bandit --version | head -1` - bandit -r -c ipas_default.config ./ -f txt -o bandit-report.txt + - name: Install dependencies + run: python -m pip install tox + - name: Bandit Scanning + run: tox -e bandit-scan - name: Upload Bandit artifact uses: actions/upload-artifact@v3 with: diff --git a/ipas_default.config b/ipas_default.config index d7f185d9e7..ebd61dffff 100644 --- a/ipas_default.config +++ b/ipas_default.config @@ -90,6 +90,13 @@ tests: skips: [ 'B101', 'B102', 'B103', 'B104', 'B105', 'B106', 'B107', 'B108', 'B110', 'B112', 'B201', 'B501', 'B502', 'B503', 'B504', 'B505', 'B506', 'B507', 'B601', 'B602', 'B603', 'B604', 'B605', 'B606', 'B607', 'B608', 'B609', 'B610', 'B611', 'B701', 'B702', 'B703'] +# Added to exclude some path which are not actual source code for this project +exclude_dirs: [ + '.tox/', + '.vscode/', + '.git/', +] + ### (optional) plugin settings - some test plugins require configuration data ### that may be given here, per-plugin. All bandit test plugins have a built in ### set of sensible defaults and these will be used if no configuration is diff --git a/tox.ini b/tox.ini index 4cba16d43e..b107ad8574 100644 --- a/tox.ini +++ b/tox.ini @@ -1,11 +1,17 @@ [tox] isolated_build = true skip_missing_interpreters = true -envlist = - pre-commit + [testenv:pre-commit] basepython = python3 deps = pre-commit commands = pre-commit run --show-diff-on-failure --color=always --all-files + + +[testenv:bandit-scan] +deps = + bandit +commands = + - bandit -r -c {toxinidir}/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt