Add CodeQL and Bandit Static Analysis Scans

[kkraus14]

Description

Resolves #534

Adds scans using both CodeQL and Bandit. Could use some discussion on what level of reporting we wish to have here and when we want to error. I have updated the repo settings to alert on any Security alert severity level and set the Standard alert severity level to "Errors and warnings" as a starting point.

Checklist

• New or existing tests cover these changes.
• The documentation is up to date with these changes.

[copy-pr-bot]

Auto-sync is disabled for ready for review pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[kkraus14]

/ok to test b8d0441

[kkraus14]

/ok to test b8d0441

[cryos]

This looks good to me, I added a proposal for concurrency groups that are pretty simple and should work well, choosing something that should work well for both merges to main and PRs.

[cryos]

This needs the addition of bandit to the whitelist as noted in slack.

[cryos]

Bandit should be allowed to run now if you want to retry it.

[kkraus14]

/ok to test 634f56a

[kkraus14]

@leofang do you want me to add bandit / codeql to pre-commit before we merge this?

[kkraus14]

Do not merge. Needs an internal discussion before moving forward.

[leofang]

do you want me to add bandit / codeql to pre-commit before we merge this?

I think it is fine to do it in a separate PR, so we only need to resolve the internal discussion before merging.

[kkraus14]

This does pin the version of Bandit to v1.8.3 which could cause mismatches between this and the GitHub workflow.

[kkraus14]

An issue here:

• The GitHub action workflow for bandit runs pip install bandit[sarif] and doesn't give us a way to pin the version of bandit. (https://github.com/PyCQA/bandit-action/blob/8a1b30610f61f3f792fe7556e888c9d7dffa52de/action.yml#L80)
• The pre-commit hook does allow us to pin the version of bandit, which I've done to the current release.
• Running bandit via pre-commit.ci doesn't allow us to grab and upload the SARIF file into the GitHub code security tooling.

I've also temporarily moved the CodeQL action to be manually triggered only until our internal discussion is completed.

[kkraus14]

/ok to test 4d7632c

[kkraus14]

Merging for now and will create issues for following up on Bandit version pinning for the Action and CodeQL pre-commit hook.

[leofang]

Thanks, Keith!

[github-actions]

Doc Preview CI
Preview removed because the pull request was closed or merged.