Skip to content

ci: add blocking bandit gate (P-20) #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pcalnon merged 1 commit into from
May 4, 2026
Merged

ci: add blocking bandit gate (P-20) #45

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -384,21 +384,36 @@ jobs:
- name: Install security tools
run: |
python -m pip install --upgrade pip
pip install bandit pip-audit
# ``[sarif]`` extra installs the optional SARIF formatter (jschema-to-python).
pip install "bandit[sarif]" pip-audit

- name: Create reports directory
run: mkdir -p reports/security

- name: Run Bandit (SAST) -> SARIF
- name: Run Bandit (SAST)
# P-20 (cross-repo CI audit): mirror cascor / data's two-step
# bandit pattern. Step 1 emits SARIF with --exit-zero so the
# report always uploads; step 2 is the actual gate that fails
# the job on medium-severity findings. Previously this step was
# a single ``bandit … || true`` with no follow-up blocking
# invocation, so any genuine finding was silently tolerated.
run: |
echo "╔════════════════════════════════════════════════════════════╗"
echo "║ juniper-data-client - Bandit Security Scan ║"
echo "╚════════════════════════════════════════════════════════════╝"
bandit -r juniper_data_client -f sarif -o reports/security/bandit.sarif || true
# SARIF (always succeeds for upload).
bandit -r juniper_data_client -f sarif -o reports/security/bandit.sarif --exit-zero
# Blocking — fails on medium or higher.
bandit -r juniper_data_client --confidence-level medium --severity-level medium

- name: Upload Bandit SARIF to GitHub Security
# ``hashFiles`` returns empty when the file is absent; only
# attempt the upload when SARIF actually exists. Combined with
# ``continue-on-error`` this keeps the job green even if a
# security-tools regression prevents bandit from emitting the
# file (mirrors the canonical pattern from juniper-data PR #67).
if: always() && hashFiles('reports/security/bandit.sarif') != ''
uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
if: always()
with:
sarif_file: reports/security/bandit.sarif
continue-on-error: true
Expand Down
Loading