diff --git a/.github/-.txt b/.github/-.txt deleted file mode 100644 index 8b13789..0000000 --- a/.github/-.txt +++ /dev/null @@ -1 +0,0 @@ - diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml deleted file mode 100644 index 95b1471..0000000 --- a/.github/workflows/bandit.yml +++ /dev/null @@ -1,52 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# Bandit is a security linter designed to find common security issues in Python code. -# This action will run Bandit on your codebase. -# The results of the scan will be found under the Security tab of your repository. - -# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname -# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA - -name: Bandit -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '39 20 * * 2' - -jobs: - bandit: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Bandit Scan - uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd - with: # optional arguments - # exit with 0, even with results found - exit_zero: true # optional, default is DEFAULT - # Github token of the repository (automatically created by Github) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. - # File or directory to run bandit on - # path: # optional, default is . - # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # level: # optional, default is UNDEFINED - # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) - # confidence: # optional, default is UNDEFINED - # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) - # excluded_paths: # optional, default is DEFAULT - # comma-separated list of test IDs to skip - # skips: # optional, default is DEFAULT - # path to a .bandit file that supplies command line arguments - # ini_path: # optional, default is DEFAULT - diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index 87eb186..a7fb286 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -34,12 +34,9 @@ jobs: - name: Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f with: - # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. - # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. - path: .\ + path: . recurse: true - # Include your own basic security rules. Removing this option will run all the rules - includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText", "PSAvoidUsingComputerNameHardcoded", "PSUseDeclaredVarsMoreThanAssignments", "PSAvoidUsingCmdletAliases", "PSUseShouldProcessForStateChangingFunctions", "PSAvoidUsingPositionalParameters", "PSUseOutputTypeCorrectly"' output: results.sarif # Upload the SARIF file generated in the previous step