bandit icon indicating copy to clipboard operation
bandit copied to clipboard
verified publisher icon PyCQA

Add report formatter for Github Actions annotations

Open benjuade opened this issue 5 months ago • 5 comments

Is your feature request related to a problem? Please describe. It may be useful to have a simple formatter compatible with Github Actions, in order to use it for CI jobs.

Describe the solution you'd like The CLI shoud return a text formatted in a way that is compatible with Github Actions annotations fo workflows: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-commands#about-workflow-commands

This is an example from pylint

************* Module src.MyClass                                                                                                                                                                                         
::warning file=app/src/MyClass.py,line=22,endline=22,col=8,title=W1203::Use lazy % formatting in logging functions

Describe alternatives you've considered The official Github Action requires Advanced Security that is a paid addon also for paying teams for private repositories.

The custom formatter is not suitable, because the Github Actions annotations require a multiline structure.

Additional context Pylint has a dedicated output formatter for Github actions: https://pylint.pycqa.org/en/latest/user_guide/usage/output.html (--output-format=github).

Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.

benjuade avatar Sep 16 '25 13:09 benjuade

SARIF (specific JSON schema) is the format of choice for GitHub and Bandit does support it.

https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning

ericwb avatar Sep 16 '25 13:09 ericwb

SARIF (specific JSON schema) is the format of choice for GitHub and Bandit does support it.

https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning

Code scanning that reads SARIF files is available for the following repository types, as I've written above:

Public repositories on GitHub.com
Organization-owned repositories on GitHub Team with [GitHub Code Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) enabled

benjuade avatar Sep 16 '25 14:09 benjuade

Maybe the custom formatter https://bandit.readthedocs.io/en/latest/formatters/custom.html may be suitable, but it's not documented how to define it and which are all the variables avaialble ({abspath} is not useful)

benjuade avatar Sep 16 '25 14:09 benjuade

https://github.com/dorny/test-reporter can be used.

Paebbels avatar Sep 25 '25 11:09 Paebbels

https://github.com/dorny/test-reporter can be used.

Too complex. I was able to solve it in this way, but I think that it will be little effort to include the proper format into bandit:

      - name: Run bandit
        # Bandit custom formatter https://bandit.readthedocs.io/en/latest/formatters/custom.html uses a different severity level than GHA workflow annotations https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-commands
        run: |
          set +e
          out=$(poetry run bandit -c pyproject.toml -r ./app -f custom --msg-template "::{severity} file={relpath},line={line},endline=,col={col},title={test_id}::{msg}. Confidence {confidence}. Range {range}")
          exit_code=$?
          sed 's/::LOW/::notice/;s/::MEDIUM/::warning/;s/::HIGH/::error/;s/::UNDEFINED/::notice/' <<< ${out}
          exit ${exit_code}

This creates annotations like this, without any external dependency: Image

benjuade avatar Sep 25 '25 12:09 benjuade