Run Python Bandit scan on your codebase.

Bandit is a tool designed to find common security issues in Python code. This action will run Bandit on your codebase. The results of the scan will be found under the Security tab of your repository.

To run a bandit scan include a step like this:

    uses: shundor/bandit-action@v1
    with: 
        path: "."
        level: high
        confidence: high
        exit_zero: true           

Optional The path to run bandit on

Default "."

Optional Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything).

Default "UNDEFINED"

Optional Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything).

Default "UNDEFINED"

Optional Comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default is from the Bandit itself)

Default ".svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg"

Optional Exit with 0, even with results found (set "true" to use it)

Optional Comma-separated list of test IDs to skip

Optional Path to a .bandit file that supplies command line arguments

The action will create an artifact containing the sarif output.

• 🙇 This action is based on bandit-action by Melih Değiş.