Add CodeQL and Bandit Static Analysis Scans #560
Conversation
|
Auto-sync is disabled for ready for review pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
/ok to test b8d0441 |
|
/ok to test b8d0441 |
This comment has been minimized.
This comment has been minimized.
|
This needs the addition of bandit to the whitelist as noted in slack. |
|
Bandit should be allowed to run now if you want to retry it. |
|
/ok to test 634f56a |
|
@leofang do you want me to add bandit / codeql to pre-commit before we merge this? |
|
Do not merge. Needs an internal discussion before moving forward. |
I think it is fine to do it in a separate PR, so we only need to resolve the internal discussion before merging. |
| - repo: https://github.com/PyCQA/bandit | ||
| rev: 8ff25e07e487f143571cc305e56dd0253c60bc7b #v1.8.3 | ||
| hooks: | ||
| - id: bandit |
There was a problem hiding this comment.
This does pin the version of Bandit to v1.8.3 which could cause mismatches between this and the GitHub workflow.
|
An issue here:
I've also temporarily moved the CodeQL action to be manually triggered only until our internal discussion is completed. |
leofang
added
support
Co-authored-by: Marcus D. Hanwell <[email protected]>
This reverts commit c529e5f.
kkraus14
force-pushed
the
static_analysis
branch
from
4fa8b7c to
4d7632c
Compare
|
/ok to test 4d7632c |
|
Merging for now and will create issues for following up on Bandit version pinning for the Action and CodeQL pre-commit hook. |
|
Thanks, Keith! |
|
Description
Resolves #534
Adds scans using both CodeQL and Bandit. Could use some discussion on what level of reporting we wish to have here and when we want to error. I have updated the repo settings to alert on any Security alert severity level and set the Standard alert severity level to "Errors and warnings" as a starting point.
Checklist