From de4a3d77e3d222968f4e58c9cc3a18b7f4505236 Mon Sep 17 00:00:00 2001
From: Jaden Abrams <96440993+jadenabrams100@users.noreply.github.com>
Date: Fri, 22 Mar 2024 10:23:09 -0400
Subject: [PATCH] bandit: add bandit to GRASS GIS CI (#3515)

---
 .github/workflows/python-code-quality.yml | 21 +++++++++++++++++++++
 pyproject.toml                            |  5 +++++
 2 files changed, 26 insertions(+)

diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml
index 7d68a30abe5..35a6f9f77ed 100644
--- a/.github/workflows/python-code-quality.yml
+++ b/.github/workflows/python-code-quality.yml
@@ -32,8 +32,11 @@ jobs:
             black-version: "23.1.0"
             flake8-version: "3.9.2"
             pylint-version: "2.12.2"
+            bandit-version: "1.7.8"
 
     runs-on: ${{ matrix.os }}
+    permissions:
+      security-events: write
 
     steps:
       - name: Versions
@@ -44,6 +47,7 @@ jobs:
           echo Black: ${{ matrix.black-version }}
           echo Flake8: ${{ matrix.flake8-version }}
           echo Pylint: ${{ matrix.pylint-version }}
+          echo Bandit: ${{matrix.bandit-version}}
 
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
@@ -68,6 +72,7 @@ jobs:
           pip install black==${{ matrix.black-version }}
           pip install flake8==${{ matrix.flake8-version }}
           pip install pylint==${{ matrix.pylint-version }} pytest-github-actions-annotate-failures
+          pip install bandit[sarif]==${{matrix.bandit-version}}
 
       - name: Run Black
         run: |
@@ -81,6 +86,21 @@ jobs:
         run: |
           flake8 --count --statistics --show-source --jobs=$(nproc) python/grass/{script,jupyter}/testsuite/
 
+      - name: Bandit Vulnerability Scan
+        run: |
+          bandit -c pyproject.toml -iii -r . -f sarif -o bandit.sarif --exit-zero
+
+      - name: Upload Bandit Scan Results
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: bandit.sarif
+          path: bandit.sarif
+
+      - name: Upload SARIF File into Security Tab
+        uses: github/codeql-action/upload-sarif@05963f47d870e2cb19a537396c1f668a348c7d8f # v3.0.0
+        with:
+          sarif_file: bandit.sarif
+
       - name: Create installation directory
         run: |
           mkdir $HOME/install
@@ -149,6 +169,7 @@ jobs:
           name: sphinx-grass
           path: sphinx-grass
           retention-days: 3
+
   python-success:
     name: Python Code Quality Result
     needs:
diff --git a/pyproject.toml b/pyproject.toml
index 555e3b4deff..b59eed0043c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -34,3 +34,8 @@ addopts = """
     --ignore='raster/r.category/test_rcategory_doctest.txt'
 """
 timeout = 300
+
+
+[tool.bandit]
+exclude_dirs = ["./testsuite", "*/tests/*", "*/testsuite/*", "utils/test_generate_last_commit_file.py"]
+skips = ["B324","B110", "B101", "B112", "B404"]