vllm
vllm copied to clipboard
Published
20 hours ago •
vllm-project
vllm-project
[CI/Build]: Add Bandit security check to workflow
Currently, the project does not have a security linter integrated into its CI pipeline. This poses potential risks as security vulnerabilities in Python code can go undetected. I found many high security issues using Bandit
- Integrate Bandit to scan for security issues in the codebase.
- Configure Bandit to fail the workflow if any high-severity issues are found.
e.g.:
$ bandit -r . --severity-level high
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.10.12
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:12
Run started:2024-09-11 04:37:49.395569
Test results:
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b602_subprocess_popen_with_shell_equals_true.html
Location: ./collect_env.py:95:8
94 stderr=subprocess.PIPE,
95 shell=shell)
96 raw_output, raw_err = p.communicate()
97 rc = p.returncode
98 if get_platform() == 'win32':
99 enc = 'oem'
--------------------------------------------------
Code scanned:
Total lines of code: 135058
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 3887
Medium: 33
High: 1
Total issues (by confidence):
Undefined: 0
Low: 20
Medium: 28
High: 3873
Files skipped (0):
