feat: add integration tests by lhoupert · Pull Request #42 · developmentseed/action-python-security-auditing

lhoupert · 2026-03-30T09:26:11Z

Move integration tests originally maintained in https://github.com/lhoupert/action-python-security-auditing-tests/tree/pre-migration

gitguardian · 2026-03-30T09:26:16Z

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
29283725	Triggered	Generic Password	`cada289`	integration-tests/cases/02-requirements-src-bandit/src/app.py	View secret

🛠 Guidelines to remediate hardcoded secrets

Understand the implications of revoking this secret by investigating where it is used in your code.
Replace and store your secret safely. Learn here the best practices.
Revoke and rotate this secret.
If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

following these best practices for managing and storing secrets including API keys and other credentials
install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

+
+      - name: Set up uv
+        if: matrix.setup == 'uv'
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1


+        if: always()
+        run: |
+          mkdir -p outcome
+          echo "${{ steps.audit.outcome }}" > outcome/outcome.txt


+    needs: [integration-test]
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write


+          fi
+
+          MARKER="<!-- integration-test-validation-report -->"
+          PR_NUMBER="${{ github.event.pull_request.number }}"


+          # Find existing comment with our marker
+          COMMENT_ID=$(
+            gh api \
+              "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \


+
+          if [ -n "$COMMENT_ID" ]; then
+            gh api \
+              "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \


github-advanced-security · 2026-03-30T09:26:40Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

+def run_command(cmd: str) -> int:
+    """Run a shell command."""
+    # B602: subprocess call with shell=True — HIGH severity
+    return subprocess.call(cmd, shell=True)  # noqa: S602


+def process(data: str) -> None:
+    """Process data via shell command."""
+    # B602: subprocess with shell=True — HIGH severity
+    subprocess.call(f"process.sh {data}", shell=True)  # noqa: S602


+import subprocess
+
+def run_command(user_input: str) -> str:
+    result = subprocess.run(user_input, shell=True, capture_output=True, text=True)


@@ -0,0 +1,15 @@
+"""Command runner — intentionally insecure for bandit testing."""
+import subprocess


+def get_config() -> dict:
+    """Return config dict."""
+    # B105: hardcoded password string — MEDIUM severity
+    password = "supersecret123"  # noqa: S105


+def authenticate(user: str) -> dict:
+    """Return auth config for a user."""
+    # B105: hardcoded password string — MEDIUM severity
+    db_password = "hardcoded_db_pass"  # noqa: S105


@@ -0,0 +1,8 @@
+"""Data processor — intentionally insecure for bandit testing."""
+import subprocess


@@ -0,0 +1,6 @@
+"""Intentional B602 — subprocess call with shell=True."""
+import subprocess


+def compute_hash(data: bytes) -> str:
+    """Compute a digest of the given data."""
+    # B303: use of MD5 — MEDIUM severity
+    return hashlib.md5(data).hexdigest()  # noqa: S324


+def parse_config(data: str) -> dict:
+    """Parse YAML config string."""
+    # B506: yaml.load without Loader — MEDIUM severity
+    return yaml.load(data)  # noqa: S506


+"""Intentional B101 — use of assert in non-test code."""
+
+def validate(value: int) -> int:
+    assert value > 0, "Value must be positive"


+def deploy(target: str) -> None:
+    """Deploy to the given target."""
+    # B602: subprocess with shell=True — HIGH severity
+    subprocess.call(f"deploy.sh {target}", shell=True)  # noqa: S602


+def handle_request(cmd: str) -> int:
+    """Execute a request via shell command."""
+    # B602: subprocess with shell=True — HIGH severity
+    return subprocess.call(cmd, shell=True)  # noqa: S602


@@ -0,0 +1,8 @@
+"""Deploy script — intentionally insecure for bandit testing."""
+import subprocess


@@ -0,0 +1,8 @@
+"""Request handler — intentionally insecure for bandit testing."""
+import subprocess


github-actions · 2026-03-30T09:26:58Z

Security Audit Report

View workflow run

Bandit — Static Security Analysis (Security tab)

12 issue(s) found: 12 low

✅ No issues at or above HIGH severity.

12 low issue(s) below threshold not shown in table.

pip-audit — Dependency Vulnerabilities (Security tab)

Package	Version	ID	Fix Versions	Description
pygments	2.19.2	CVE-2026-4539	none	A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file

1 vulnerability/vulnerabilities found (0 fixable) across 1 package(s).

Result: ✅ No blocking issues found.

+def legacy_hash(data: bytes) -> str:
+    """Compute a legacy hash of data."""
+    # B303: use of MD5 — MEDIUM severity
+    return hashlib.md5(data).hexdigest()  # noqa: S324


+def check_token(token: str) -> bool:
+    """Validate an API token."""
+    # B105: hardcoded password string — MEDIUM severity
+    secret = "dev_secret_token_abc123"  # noqa: S105


github-actions · 2026-03-30T09:27:35Z

✅ All test workflows behaved as expected

14 passed, 0 failed

Test	Name	Expected	Actual	Bandit	pip-audit	Result
01	requirements · flat · clean	success	success	—	—	✅
02	requirements · src/ · bandit HIGH	failure	failure	B105, B404, B602	—	✅
03	requirements · src/+scripts/ · bandit HIGH + pip-audit	failure	failure	B105, B404, B602	cryptography, idna, requests, urllib3	✅
04	uv · flat · clean	success	success	—	—	✅
05	uv · src/ · pip-audit vuln	failure	failure	—	idna, requests, urllib3	✅
06	uv · src/+scripts/ · bandit MEDIUM	failure	failure	B324, B506	—	✅
07	poetry · flat · clean	success	success	—	—	✅
08	poetry · src/ · bandit MEDIUM + pip-audit	failure	failure	B105, B324	cryptography, idna, requests, urllib3	✅
09	pipenv · flat · clean	success	success	—	—	✅
10	pipenv · src/+scripts/ · bandit HIGH	failure	failure	B404, B602	—	✅
11	requirements · flat · clean (root working dir)	success	success	—	—	✅
12	uv · flat · bandit-only (no pip-audit)	failure	failure	B404, B602	disabled	✅
13	requirements · flat · unfixable vulns (should pass)	success	success	—	pygments	✅
14	uv · flat · low threshold (B101 assert)	failure	failure	B101	disabled	✅

lhoupert · 2026-03-30T09:34:00Z

all security warning are due to integration tests

feat: add integration tests

cada289

github-advanced-security AI found potential problems Mar 30, 2026

View reviewed changes

lhoupert merged commit 437ac46 into main Mar 30, 2026
21 of 22 checks passed

lhoupert deleted the feat--add-integration-tests branch March 30, 2026 09:33

github-actions Bot mentioned this pull request Mar 30, 2026

chore(main): release 0.5.0 #43

Merged

		@@ -0,0 +1,15 @@
		"""Command runner — intentionally insecure for bandit testing."""
		import subprocess

		@@ -0,0 +1,8 @@
		"""Data processor — intentionally insecure for bandit testing."""
		import subprocess

		@@ -0,0 +1,6 @@
		"""Intentional B602 — subprocess call with shell=True."""
		import subprocess

		@@ -0,0 +1,8 @@
		"""Deploy script — intentionally insecure for bandit testing."""
		import subprocess

		@@ -0,0 +1,8 @@
		"""Request handler — intentionally insecure for bandit testing."""
		import subprocess

Conversation

lhoupert commented Mar 30, 2026

Uh oh!

gitguardian Bot commented Mar 30, 2026

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Uh oh!

Check warning

Check notice

Check notice

Check notice

Check notice

Check notice

github-advanced-security AI commented Mar 30, 2026

What Enabling Code Scanning Means:

Uh oh!

Check failure

Check failure

Check failure

Check notice

Check notice

Check notice

Check notice

Check notice

Check failure

Check warning

Check notice

Check failure

Check failure

Check notice

Check notice

github-actions Bot commented Mar 30, 2026

Security Audit Report

Bandit — Static Security Analysis (Security tab)

pip-audit — Dependency Vulnerabilities (Security tab)

Uh oh!

Check failure

Check notice

github-actions Bot commented Mar 30, 2026

✅ All test workflows behaved as expected

Uh oh!

Uh oh!

lhoupert commented Mar 30, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants