-
Notifications
You must be signed in to change notification settings - Fork 863
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Add Security Check Using Bandit in CI #3312
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM, thank you for this contribution! Just blocking this to work out potential quirks, run some tests and coordinate with release cycle
print("Could not generate gRPC client stubs") | ||
sys.exit(1) | ||
|
||
cmd = "python -m pytest -v ./ --ignore=sanity" | ||
pytest_cmd = ["python", "-m", "pytest", "-v", "./", "--ignore=sanity"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This command is not running in REPO_ROOT/test/pytest/ which might break some tests. Not 100% sure if all of of them are resilient to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but I haven’t changed the execution logic. So, if it worked before, it should be fine now.
c1d296d
to
47a194a
Compare
Thanks for your review @mreso. I have addressed all your comments. PTAL thanks. |
47a194a
to
187ed53
Compare
Just rebased to pick up the latest changes. |
kindly ping @mreso |
- Integrate Bandit to scan for security issues in the codebase. - Configure Bandit to fail the workflow if any high-severity issues are found. e.g.: ```bash >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue. Severity: High Confidence: High CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html Location: ./binaries/build.py:52:30 51 if not args.dry_run: 52 build_exit_code = os.system(cur_wheel_cmd) 53 # If any one of the steps fail, exit with error ``` Fixes: pytorch#3311 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
…=True - Issue: Fixed [B602:subprocess_popen_with_shell_equals_true] identified by Bandit, which flagged the use of `subprocess.Popen` with `shell=True` as a high-severity security risk (CWE-78: OS Command Injection). - Ensures that the command is executed more securely without exposing it to shell injection vulnerabilities. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
…hell - Issue: Fixed [B605:start_process_with_a_shell] identified by Bandit, which flagged starting a process with a shell as a high-severity security risk (CWE-78: OS Command Injection). - Replaced os.system call with a safer alternative to prevent shell injection vulnerabilities. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
3f88489
to
a7e7d6e
Compare
Just rebased to pick up the latest changes. |
Description
Currently, the project does not have a security linter integrated into its CI pipeline. This poses potential risks as security vulnerabilities in Python code can go undetected. I found many high security issues using Bandit
error log: https://github.com/user-attachments/files/16975951/security-issues.log
Resolve two high security issues:
Fixes #3311
Type of change
Feature/Issue validation/testing