From ce3d9471311aa1fdb311e17017bb8e8b01a42974 Mon Sep 17 00:00:00 2001 From: Dave Dowding Date: Tue, 14 Oct 2025 10:42:57 +0100 Subject: [PATCH 1/2] fix: replace broken bandit-action with direct installation mdegis/bandit-action@v1.0.1 fails with missing pbr dependency. Replace with direct pip installation and CLI execution while maintaining the same security configuration. --- .github/workflows/security.yaml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 5d9e3c9..fdba9e3 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -4,26 +4,28 @@ on: workflow_call: inputs: ENABLE_BANDIT: - description: 'Enable the Bandit scanner - useful for Python only' + description: "Enable the Bandit scanner - useful for Python only" default: true type: boolean jobs: build: name: Check for vulnerabilities - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - - name: Security check - Bandit - uses: mdegis/bandit-action@v1.0.1 + - name: Set up Python + uses: actions/setup-python@v5 if: ${{ inputs.ENABLE_BANDIT }} with: - path: "." - level: high - confidence: high - skips: B101 + python-version: "3.x" + - name: Security check - Bandit + if: ${{ inputs.ENABLE_BANDIT }} + run: | + pip install bandit + bandit -r . -ll -ii -s B101 - name: Write Trivy config file run: | @@ -42,8 +44,8 @@ jobs: - name: Security check - Trivy uses: aquasecurity/trivy-action@0.28.0 with: - scan-type: 'fs' - scan-ref: '.' - severity: 'MEDIUM,CRITICAL,HIGH' - exit-code: '1' - trivy-config: 'trivy.conf' + scan-type: "fs" + scan-ref: "." + severity: "MEDIUM,CRITICAL,HIGH" + exit-code: "1" + trivy-config: "trivy.conf" From 49bcac574406f6b94ace8f565d3ca99d3d493efb Mon Sep 17 00:00:00 2001 From: Dave Dowding Date: Thu, 16 Oct 2025 11:55:31 +0100 Subject: [PATCH 2/2] chore: update GitHub Actions to latest versions --- .github/workflows/security.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index fdba9e3..dcd3b78 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 if: ${{ inputs.ENABLE_BANDIT }} with: python-version: "3.x"