Skip to content

Merge branch 'devel' #280

Merge branch 'devel'

Merge branch 'devel' #280

Workflow file for this run

name: Codescanner
on:
push:
branches:
- 'master'
- 'devel'
- 'min-devel'
- 'min'
- 'code-scanner_wf'
jobs:
bandit:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Bandit Scan
uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
with: # optional arguments
# exit with 0, even with results found
exit_zero: true # optional, default is DEFAULT
# Github token of the repository (automatically created by Github)
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
# File or directory to run bandit on
# path: # optional, default is .
# Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
# level: # optional, default is UNDEFINED
# Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
# confidence: # optional, default is UNDEFINED
# comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
# excluded_paths: # optional, default is DEFAULT
# comma-separated list of test IDs to skip
# skips: # optional, default is DEFAULT
# path to a .bandit file that supplies command line arguments
# ini_path: # optional, default is DEFAULT
codecov:
name: Codecov Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@master
with:
python-version: 3.9
- name: Install components
run: |
sudo DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
libkrb5-dev \
python3-gssapi \
- name: Generate coverage report
run: |
python -m pip install --upgrade pip
pip install lxml beautifulsoup4 html5lib
pip install pytest
pip install pytest-cov impacket
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
pytest --cov=./ --cov-report=xml
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: ./coverage.xml
flags: unittests
sonarcloud:
name: SonarCloud Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.x'
- name: Install components
run: |
sudo DEBIAN_FRONTEND="noninteractive" apt-get install --no-install-recommends -y \
libkrb5-dev \
python3-gssapi \
- name: Install pytest coverage and any other packages
run: |
python -m pip install --upgrade pip
pip install pytest coverage impacket
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
- name: run coverage
run: |
pip install pytest-cov
pytest --cov=./ --cov-report=xml
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: github.event_name == 'pull_request'
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: python
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
# ossarscan:
# name: OSSAR-Scan
# # OSSAR runs on windows-latest.
# # ubuntu-latest and macos-latest support coming soon
# runs-on: windows-latest
# steps:
# # Checkout your code repository to scan
# - name: Checkout repository
# uses: actions/checkout@v4
# with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
# fetch-depth: 2
# # If this run was triggered by a pull request event, then checkout
# # the head of the pull request instead of the merge commit.
# - run: git checkout HEAD^2
# if: ${{ github.event_name == 'pull_request' }}
# # Ensure a compatible version of dotnet is installed.
# # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
# # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action.
# # Remote agents already have a compatible version of dotnet installed and this step may be skipped.
# # For local agents, ensure dotnet version 3.1.201 or later is installed by including this action:
# # - name: Install .NET
# # uses: actions/setup-dotnet@v1
# # with:
# # dotnet-version: '3.1.x'
# # Run open source static analysis tools
# - name: Run OSSAR
# uses: github/ossar-action@v1
# id: ossar
# # Upload results to the Security tab
# - name: Upload OSSAR results
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.ossar.outputs.sarifFile }}