Merged
Conversation
ericwb
force-pushed
the
composite-action
branch
3 times, most recently
from
2a61821 to
5229e3c
Compare
sigmavirus24
reviewed
May 2, 2024
Member
sigmavirus24
left a comment
sigmavirus24
left a comment
There was a problem hiding this comment.
I don't know enough to approve this. How can we test it?
Convert the current docker container based action into a composite action. A composite action no longer requires a Dockerfile or entrypoint script. The actual action YAML now parameterizes the key selected arguments of Bandit into official inputs into the action. The output of the code scan is to generate a JSON file using Bandit's SARIF format. This can be uploaded and rendered nicely into GitHub's ecosystem as a "Code Scanning" application. https://docs.github.com/en/actions/creating-actions/creating-a-composite-action Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Member
Author
You can copy-and-paste this example action workflow: As long as you have some vulnerable code in your repo, the results will appear in the Security -> Code scanning tab. For example: |
Member
|
I totally missed this one, sorry about that. Taking a look now! |
Member
|
How do you see this working with #6 , I guess that's no longer needed now (which I am totally fine with)? |
Member
Author
Member
Author
|
Any further thoughts on this one before merging? |
sigmavirus24
approved these changes
Jun 23, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Convert the current docker container based action into a composite action. A composite action no longer requires a Dockerfile or entrypoint script.
The actual action YAML now parameterizes the key selected arguments of Bandit into official inputs into the action.
The output of the code scan is to generate a JSON file using Bandit's SARIF format. This can be uploaded and rendered nicely into GitHub's ecosystem as a "Code Scanning" application.
https://docs.github.com/en/actions/creating-actions/creating-a-composite-action