fix: fix bandit workflow configuration (DEV-2536) #470

dasch-swiss · Aug 14, 2023 · 4fd6a10 · 4fd6a10
1 parent bace9aa
commit 4fd6a10
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -10,11 +10,16 @@ jobs:
     permissions:
       contents: read                                    # for actions/checkout to fetch code
       security-events: write                            # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read                                     # only required for a private repository by 
+                                                        # github/codeql-action/upload-sarif to get the Action run status
+
 
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Bandit Scan
         uses: shundor/python-bandit-scan@main
         with: # optional arguments
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}     # Needed to get PR information.
+          level: high
+          confidence: medium