CI: Add Bandit security check to lint workflow

- Integrate Bandit to scan for security issues in the codebase. - Configure Bandit to fail the workflow if any high-severity issues are found. e.g.: ```bash >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue. Severity: High Confidence: High CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html Location: ./binaries/build.py:52:30 51 if not args.dry_run: 52 build_exit_code = os.system(cur_wheel_cmd) 53 # If any one of the steps fail, exit with error ``` Fixes: #3311 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
pytorch · Sep 19, 2024 · 5ec4f88 · 5ec4f88
1 parent e212294
commit 5ec4f88
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -109,3 +109,22 @@ jobs:
         run: |
           echo "Please fix the misspellings. If you are sure about some of them, "
           echo "so append those to ts_scripts/spellcheck_conf/wordlist.txt"
+
+  security-check:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Setup Python 3.9
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.9
+          architecture: x64
+      - name: Checkout TorchServe
+        uses: actions/checkout@v3
+      - name: Install Bandit
+        run: |
+          python -m pip install --upgrade pip
+          pip install bandit
+      - name: Run bandit
+        run: |
+          # Skip the B501 rule related to SSL certificate validation checks
+          bandit -r . --severity-level high -s B501