Semgrep and Bandit config refactor (#2646)

* semgrep bandit fixes

Signed-off-by: Barabanov <[email protected]>

* semgrep bandit logic fix

Signed-off-by: Barabanov <[email protected]>

* fix bandit flow

Signed-off-by: Barabanov <[email protected]>

* fix semgrep flow

Signed-off-by: Barabanov <[email protected]>

* fix semgrep cli

Signed-off-by: Barabanov <[email protected]>

* fix semgrep cli

Signed-off-by: Barabanov <[email protected]>

* rename env vars

Signed-off-by: Barabanov <[email protected]>

---------

Signed-off-by: Barabanov <[email protected]>
Co-authored-by: Samet Akcay <[email protected]>

Author: AlexanderBarabanov

.github/actions/security/bandit/action.yaml

@@ -55,22 +55,22 @@ inputs:
   paths:
     description: "Paths to scan when using all scope"
     required: false
-    default: "./src"
+    default: "." # all scope by default, exclude_dirs are taken from pyproject.toml
   config_file:
     description: "Path to pyproject.toml or custom bandit config"
     required: false
     default: "pyproject.toml"
-  severity_level:
+  severity-level:
     description: "Minimum severity level to report (all/LOW/MEDIUM/HIGH)"
     default: "LOW"
-  confidence_level:
+  confidence-level:
     description: "Minimum confidence level to report (all/LOW/MEDIUM/HIGH)"
     required: false
     default: "LOW"
   output-format:
-    description: "Format for scan results (json/txt/html/csv)"
+    description: "Format for scan results (json/txt/html/csv/sarif)"
     required: false
-    default: "json"
+    default: "sarif" # by default to upload into Security tab
   fail-on-findings:
     description: "Whether to fail the action if issues are found"
     required: false
@@ -88,20 +88,20 @@ runs:
   using: composite
   steps:
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
       with:
         python-version: "3.10"
 
     - name: Install Bandit
       shell: bash
       run: |
         python -m pip install --upgrade pip
-        pip install bandit[toml]
+        pip install bandit[toml,sarif]
 
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@v41
+      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
       with:
         files: |
           **/*.py
@@ -111,31 +111,50 @@ runs:
     - name: Run Bandit scan
       id: run-bandit
       shell: bash
+      env:
+        INPUTS_SCAN_SCOPE: ${{ inputs.scan-scope }}
+        INPUTS_PATHS: ${{ inputs.paths }}
+        INPUTS_CONFIG_FILE: ${{ inputs.config_file }}
+        INPUTS_SEVERITY_LEVEL: ${{ inputs.severity-level }}
+        INPUTS_CONFIDENCE_LEVEL: ${{ inputs.confidence-level }}
+        INPUTS_OUTPUT_FORMAT: ${{ inputs.output-format }}
+        INPUTS_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
       run: |
-        REPORT_FILE="bandit-report.${{ inputs.output-format }}"
-
-        if [[ "${{ inputs.scan-scope }}" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
-          echo "Running Bandit on changed files"
-          FILES="${{ steps.changed-files.outputs.all_changed_files }}"
-        else
-          echo "Running Bandit on all files in ${{ inputs.paths }}"
-          FILES="${{ inputs.paths }}"
-        fi
+        set +e
+        REPORT_FILE="bandit-report.$INPUTS_OUTPUT_FORMAT"
 
         # Convert severity and confidence to lowercase
-        SEVERITY=$(echo "${{ inputs.severity_level }}" | tr '[:upper:]' '[:lower:]')
-        CONFIDENCE=$(echo "${{ inputs.confidence_level }}" | tr '[:upper:]' '[:lower:]')
+        SEVERITY=$(echo "$INPUTS_SEVERITY_LEVEL" | tr '[:upper:]' '[:lower:]')
+        CONFIDENCE=$(echo "$INPUTS_CONFIDENCE_LEVEL" | tr '[:upper:]' '[:lower:]')
 
-        bandit \
-          -c ${{ inputs.config_file }} \
-          --severity-level ${SEVERITY} \
-          --confidence-level ${CONFIDENCE} \
-          -f ${{ inputs.output-format }} \
-          -o "${REPORT_FILE}" \
-          -r ${FILES} || echo "exit_code=$?" >> $GITHUB_OUTPUT
+        if [[ "$INPUTS_SCAN_SCOPE" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
+          echo "Running Bandit on changed files, output results into workflow log only"
+          FILES="${{ steps.changed-files.outputs.all_changed_files }}"
+          bandit \
+            -a file \
+            -c "$INPUTS_CONFIG_FILE" \
+            --severity-level ${SEVERITY} \
+            --confidence-level ${CONFIDENCE} \
+            -r ${FILES}
+          exit_code="$?"
+          echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
 
-        echo "report_path=${REPORT_FILE}" >> $GITHUB_OUTPUT
+        elif [[ "$INPUTS_SCAN_SCOPE" == "all" ]] ; then
+          echo "Running Bandit on all files in $INPUTS_PATHS"
+          bandit \
+            -c "$INPUTS_CONFIG_FILE" \
+            --severity-level ${SEVERITY} \
+            --confidence-level ${CONFIDENCE} \
+            -f "$INPUTS_OUTPUT_FORMAT" \
+            -o "${REPORT_FILE}" \
+            -r "$INPUTS_PATHS"
+          exit_code="$?"
+          echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
+          echo "report_path=${REPORT_FILE}" >> $GITHUB_OUTPUT
+        else
+          echo "No files to scan found"
+        fi
 
-        if [[ "${{ inputs.fail-on-findings }}" == "true" && -n "$exit_code" && "$exit_code" != "0" ]]; then
+        if [[ "$INPUTS_FAIL_ON_FINDINGS" == "true" && -n "$exit_code" && "$exit_code" != "0" ]]; then
           exit $exit_code
         fi

.github/actions/security/semgrep/action.yaml

@@ -59,7 +59,7 @@ inputs:
   config:
     description: "Semgrep rules or config to use"
     required: false
-    default: "p/default"
+    default: "p/default p/cwe-top-25 p/trailofbits p/owasp-top-ten"
   severity:
     description: "Minimum severity level to report (ERROR/WARNING/INFO)"
     required: false
@@ -88,68 +88,80 @@ outputs:
 runs:
   using: composite
   steps:
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: "3.10"
-
-    - name: Install Semgrep
-      shell: bash
-      run: |
-        python -m pip install --upgrade pip
-        pip install semgrep
-
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@v41
+      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
       with:
         files: |
           **/*.*
 
     - name: Run Semgrep scan
       id: run-semgrep
       shell: bash
+      # Set the SEMGREP_RULES environment variable to specify which rules Semgrep should use.
+      env:
+        SEMGREP_RULES: ${{ inputs.config }}
+        INPUTS_SCAN_SCOPE: ${{ inputs.scan-scope }}
+        INPUTS_PATHS: ${{ inputs.paths }}
+        INPUTS_SEVERITY: ${{ inputs.severity }}
+        INPUTS_TIMEOUT: ${{ inputs.timeout }}
+        INPUTS_OUTPUT_FORMAT: ${{ inputs.output-format }}
+        INPUTS_FAIL_ON_FINDINGS: ${{ inputs.fail-on-findings }}
       run: |
+        set +e
         # Map standard severity levels to Semgrep's levels
-        case "${{ inputs.severity }}" in
+        # Semgrep does not support hierarchy, levels must be set explicitly
+        case "$INPUTS_SEVERITY" in
           "LOW")
-            SEMGREP_SEVERITY="INFO"
+            SEMGREP_SEVERITY="--severity INFO --severity WARNING --severity ERROR"
             ;;
           "MEDIUM")
-            SEMGREP_SEVERITY="WARNING"
+            SEMGREP_SEVERITY="--severity WARNING --severity ERROR"
             ;;
           "HIGH"|"CRITICAL")
-            SEMGREP_SEVERITY="ERROR"
+            SEMGREP_SEVERITY="--severity ERROR"
             ;;
           *)
-            SEMGREP_SEVERITY="WARNING"
+            SEMGREP_SEVERITY="--severity WARNING --severity ERROR"
             ;;
         esac
 
         # Create results directory
         mkdir -p security-results/semgrep
 
-        REPORT_FILE="security-results/semgrep/semgrep-results.${{ inputs.output-format }}"
+        REPORT_FILE="security-results/semgrep/semgrep-results.$INPUTS_OUTPUT_FORMAT"
 
-        if [[ "${{ inputs.scan-scope }}" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
-          echo "Running Semgrep on changed files"
+        if [[ "$INPUTS_SCAN_SCOPE" == "changed" && -n "${{ steps.changed-files.outputs.all_changed_files }}" ]]; then
+          echo "Running Semgrep on changed files, output results into workflow log only"
           FILES="${{ steps.changed-files.outputs.all_changed_files }}"
-        else
-          echo "Running Semgrep on all files in ${{ inputs.paths }}"
-          FILES="${{ inputs.paths }}"
-        fi
+        semgrep \
+          ${SEMGREP_SEVERITY} \
+          --error \
+          --timeout "$INPUTS_TIMEOUT" \
+          --metrics=off \
+          ${FILES}
+        exit_code="$?"
+        echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
 
+        elif [[ "$INPUTS_SCAN_SCOPE" == "all" ]] ; then
+          echo "Running Semgrep on all files in $INPUTS_PATHS"
         semgrep \
-          --config ${{ inputs.config }} \
-          --severity $SEMGREP_SEVERITY \
-          --timeout ${{ inputs.timeout }} \
-          --${{ inputs.output-format }} \
+          ${SEMGREP_SEVERITY} \
+          --error \
+          --metrics=off \
+          --timeout "$INPUTS_TIMEOUT" \
+          --"$INPUTS_OUTPUT_FORMAT" \
           -o "${REPORT_FILE}" \
-          ${FILES} || echo "exit_code=$?" >> $GITHUB_OUTPUT
-
+          "$INPUTS_PATHS"
+        exit_code="$?"
+        echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
         echo "report_path=${REPORT_FILE}" >> $GITHUB_OUTPUT
 
-        if [[ "${{ inputs.fail-on-findings }}" == "true" && -n "$exit_code" && "$exit_code" != "0" ]]; then
+        else
+          echo "No files to scan found"
+        fi
+
+        if [[ "$INPUTS_FAIL_ON_FINDINGS" == "true" && -n "$exit_code" && "$exit_code" != "0" ]]; then
           exit $exit_code
         fi

.github/workflows/_reusable-security-scan.yaml

@@ -77,15 +77,21 @@ jobs:
           severity-level: ${{ inputs.severity-level }}
           fail-on-findings: ${{ inputs.fail-on-findings }}
       - uses: actions/upload-artifact@v4
-        if: always()
+        if: hashFiles('bandit-report.*') != '' # if any report is available
         with:
           name: bandit-results
-          path: security-results/bandit
+          path: bandit-report.*
           retention-days: 7
+      - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+        if: hashFiles('bandit-report.sarif') != '' # if SARIF is available, upload it
+        with:
+          sarif_file: bandit-report.sarif
 
   semgrep:
     if: contains(inputs.tools, 'semgrep')
     runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
     steps:
       - uses: actions/checkout@v4
       - name: Run Semgrep scan
@@ -95,11 +101,15 @@ jobs:
           severity: ${{ inputs.severity-level }}
           fail-on-findings: ${{ inputs.fail-on-findings }}
       - uses: actions/upload-artifact@v4
-        if: always()
+        if: hashFiles('security-results/semgrep/*') != '' # if any report is available
         with:
           name: semgrep-results
           path: security-results/semgrep
           retention-days: 7
+      - uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+        if: hashFiles('security-results/semgrep/semgrep-results.sarif') != '' # if SARIF is available, upload it
+        with:
+          sarif_file: security-results/semgrep/semgrep-results.sarif
 
   trivy:
     if: contains(inputs.tools, 'trivy')

.github/workflows/pr.yaml

@@ -83,6 +83,7 @@ jobs:
     needs: [] # No dependencies, can run in parallel
     uses: ./.github/workflows/_reusable-security-scan.yaml
     with:
-      tools: "semgrep" # Security tools to run
+      tools: "semgrep,bandit" # Security tools to run
       scan-scope: "changed" # Only scan changed files
       severity-level: "MEDIUM" # Minimum severity to report
+      fail-on-findings: true # explicitly set

.github/workflows/security-checks.yaml

@@ -93,4 +93,4 @@ jobs:
       tools: ${{ github.event_name == 'schedule' && 'bandit,clamav,semgrep,trivy' || inputs.tools }}
       scan-scope: ${{ github.event_name == 'schedule' && 'all' || inputs.scan-scope }}
       severity-level: ${{ github.event_name == 'schedule' && 'LOW' || inputs.severity-level }}
-      fail-on-findings: true
+      fail-on-findings: false # reports only

pyproject.toml

@@ -282,7 +282,7 @@ follow_imports_for_stubs = true
 # BANDIT CONFIGURATION                                                        #
 [tool.bandit]
 skips = ["B101"]
-
+exclude_dirs = ["tests"]
 
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # PYTEST CONFIGURATION                                                        #