Fix bandit syntax in gh workflow #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: User Management API CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| env: | |
| COMPONENT: users-api | |
| POSTGRES_HOST: postgres | |
| jobs: | |
| lint-and-test: | |
| runs-on: ubuntu-latest | |
| services: | |
| # Label used to access the service container | |
| postgres: | |
| # Docker Hub image | |
| image: postgres | |
| # Provide the password for postgres | |
| env: | |
| POSTGRES_PASSWORD: password | |
| POSTGRES_DB: userdb | |
| # Set health checks to wait until postgres has started | |
| options: >- | |
| --health-cmd pg_isready | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| ports: | |
| # Maps tcp port 5432 on service container to the host | |
| - 5432:5432 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.9' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install flake8 pylint black bandit bandit[sarif] nose | |
| pip install -r requirements.txt | |
| - name: Run Black code formatter | |
| run: black --check . | |
| - name: Lint with flake8 | |
| run: | | |
| # stop the build if there are Python syntax errors or undefined names | |
| flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics | |
| # exit-zero treats all errors as warnings | |
| flake8 . --count --exit-zero --max-complexity=10 --max-line-length=120 --statistics | |
| - name: Run Pylint | |
| run: pylint **/*.py || true # Allow non-zero exit to not fail the workflow | |
| - name: Run Tests | |
| run: python -m nose tests.py | |
| env: | |
| # The hostname used to communicate with the PostgreSQL service container | |
| POSTGRES_HOST: localhost | |
| # The default PostgreSQL port | |
| POSTGRES_PORT: 5432 | |
| - name: Run Bandit security scanner | |
| run: bandit -r. -f sarif -o bandit-report.sarif | |
| - name: Upload Bandit scan results to Github Code Scanning | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: bandit-report.sarif | |
| docker-build: | |
| needs: lint-and-test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| load: true | |
| tags: ${COMPONENT}:latest | |
| # Optional: Deploy to container registry | |
| # Uncomment and configure as needed | |
| # deploy: | |
| # needs: [lint-and-test, docker-build-and-scan, security-scan] | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - name: Push to Docker Hub | |
| # uses: docker/build-push-action@v5 | |
| # with: | |
| # push: true | |
| # tags: yourusername/user-management-api:latest | |