GitHub Actions Workflow for Bandit
This document provides a minimal complete example workflow for setting up a Code Scanning action using Bandit through GitHub Actions. It leverages PyCQA’s bandit-action for seamless integration.
Example YAML Code for GitHub Actions Pipeline
Below is an example configuration for the GitHub Actions pipeline:
name: Bandit
on:
workflow_dispatch:
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
# Required for all workflows
security-events: write
# Only required for workflows in private repositories
actions: read
contents: read
steps:
- name: Perform Bandit Analysis
uses: PyCQA/bandit-action@v1
Inputs
Below is a list of available inputs for the bandit-action and their descriptions:
Name |
Description |
Required |
Default Value |
|---|---|---|---|
|
Config file to use for selecting plugins and overriding defaults. |
False |
|
|
Profile to use (defaults to executing all tests). |
False |
|
|
Comma-separated list of test IDs to run. |
False |
|
|
Comma-separated list of test IDs to skip. |
False |
|
|
Report only issues of a given severity level or higher. Options include |
False |
|
|
Report only issues of a given confidence level or higher. Options include |
False |
|
|
Comma-separated list of paths (glob patterns supported) to exclude from the scan. These are in addition to excluded paths provided in the config file. |
False |
|
|
Path of a baseline report to compare against (only JSON-formatted files are accepted). |
False |
|
|
Path to a |
False |
|
|
Source file(s) or directory(s) to be tested. |
False |
|