Enable Bandit security scan (#5402)

- enables Bandit security scan in github actions - makes Bandit run a part of the linting target in CMake Signed-off-by: Janusz Lisiecki <[email protected]>
NVIDIA · Apr 11, 2024 · 8378c4e · 8378c4e
1 parent c46dabc
commit 8378c4e
Show file tree

Hide file tree

Showing 38 changed files with 522 additions and 99 deletions.
diff --git a/.githooks/pre-push b/.githooks/pre-push
@@ -34,8 +34,8 @@ do
         file_list_arg="$file_list_arg $fname"
     done
 
-    echo "Performing linter check: python tools/lint.py . --nproc=5 --file-list $file_list_arg"
-    python tools/lint.py . --nproc=5 --file-list $file_list_arg || exit 1
+    echo "Performing linter check: python internal_tools/lint.py . --nproc=5 --file-list $file_list_arg"
+    python internal_tools/lint.py . --nproc=5 --file-list $file_list_arg || exit 1
     echo "OK"
 done
 

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,7 +6,8 @@ on:
 
 # TODO(klecki): Deduplicate this list of directories with `lint.cmake` file
 env:
-  PYTHON_LINT_PATHS: "./dali ./docs ./tools ./dali_tf_plugin ./qa"
+  PYTHON_SECURITY_LINT_PATHS: "./tools ./dali/python ./dali_tf_plugin"
+  PYTHON_LINT_PATHS: "./dali ./docs ./internal_tools ./qa"
   AUTOGRAPH_LINT_PATHS: "./dali/python/nvidia/dali/_autograph ./dali/test/python/autograph/"
 
 jobs:
@@ -17,15 +18,16 @@ jobs:
       - uses: actions/setup-python@v4
         with:
           python-version: '3.10'
-      - run: pip install  flake8 "black[jupyter]"==24.2.0
-      - run: black --check --verbose ${{ env.PYTHON_LINT_PATHS }} ${{ env.AUTOGRAPH_LINT_PATHS }}
-      - run: flake8 --config=.flake8 ${{ env.PYTHON_LINT_PATHS }}
+      - run: pip install  flake8 bandit "black[jupyter]"==24.2.0
+      - run: black --check --verbose ${{ env.PYTHON_SECURITY_LINT_PATHS }} ${{ env.PYTHON_LINT_PATHS }} ${{ env.AUTOGRAPH_LINT_PATHS }}
+      - run: flake8 --config=.flake8 ${{ env.PYTHON_SECURITY_LINT_PATHS }} ${{ env.PYTHON_LINT_PATHS }}
       - run: flake8 --config=.flake8.ag ${{ env.AUTOGRAPH_LINT_PATHS }}
+      - run: bandit --config bandit.yml -r ${{ env.PYTHON_SECURITY_LINT_PATHS }}
   cpp:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v4
         with:
           python-version: '3.10'
-      - run: python ./tools/lint.py . --nproc=5
+      - run: python ./internal_tools/lint.py . --nproc=5