serve
serve copied to clipboard
CI: Add Security Check Using Bandit in CI
Description
Currently, the project does not have a security linter integrated into its CI pipeline. This poses potential risks as security vulnerabilities in Python code can go undetected. I found many high security issues using Bandit
error log: https://github.com/user-attachments/files/16975951/security-issues.log
Resolve two high security issues:
- [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified
- [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected
Fixes #3311
Type of change
- [x] Bug fix (non-breaking change which fixes an issue)
Feature/Issue validation/testing
> pip install bandit
> bandit -r . --severity-level high -s B501 # Skip the B501 rule related to SSL certificate validation checks
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:03
Run started:2024-09-12 08:45:39.950729
Test results:
No issues identified.
Code scanned:
Total lines of code: 34920
Total lines skipped (#nosec): 0
Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 1075
Medium: 222
High: 0
Total issues (by confidence):
Undefined: 0
Low: 200
Medium: 20
High: 1077
Files skipped (0):