Skip to content

Commit

Permalink
CI: Add Bandit security check to lint workflow
Browse files Browse the repository at this point in the history
- Integrate Bandit to scan for security issues in the codebase.
- Configure Bandit to fail the workflow if any high-severity issues are found.

e.g.:

```bash
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html
   Location: ./binaries/build.py:52:30
51	        if not args.dry_run:
52	            build_exit_code = os.system(cur_wheel_cmd)
53	            # If any one of the steps fail, exit with error
```

Fixes: pytorch#3311

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
  • Loading branch information
ChengyuZhu6 committed Sep 19, 2024
1 parent e212294 commit 5ec4f88
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,3 +109,22 @@ jobs:
run: |
echo "Please fix the misspellings. If you are sure about some of them, "
echo "so append those to ts_scripts/spellcheck_conf/wordlist.txt"
security-check:
runs-on: ubuntu-20.04
steps:
- name: Setup Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.9
architecture: x64
- name: Checkout TorchServe
uses: actions/checkout@v3
- name: Install Bandit
run: |
python -m pip install --upgrade pip
pip install bandit
- name: Run bandit
run: |
# Skip the B501 rule related to SSL certificate validation checks
bandit -r . --severity-level high -s B501

0 comments on commit 5ec4f88

Please # to comment.