File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -92,10 +92,13 @@ On push feature/* or schedule:
9292 scan on image + SBOM, SARIF upload to GitHub Security), and
9393 ` container-structure-tests ` . All three must pass before a release job runs.
9494
95- 7 . ** Bandit uses project ` .bandit ` config**
96- — Bandit is invoked as ` bandit -r middleware/ -c .bandit -ll ` , delegating
97- all severity and exclusion configuration to the ` .bandit ` file checked into
98- the repository. This keeps CI and local development behaviour consistent.
95+ 7 . ** Bandit uses project ` .bandit ` config; pass/fail driven by JSON report**
96+ — Bandit runs as ` bandit -r middleware/ -c .bandit -f json ` , capturing all
97+ findings regardless of severity. A post-processing step prints every finding
98+ (including LOW) for visibility, then exits non-zero only when MEDIUM or HIGH
99+ findings are present. This keeps exclusion and threshold configuration in the
100+ ` .bandit ` file and avoids the ` -ll ` flag, which would suppress LOW findings
101+ entirely and contradict the requirement to log them.
99102
1001038 . ** CodeQL config excludes ` dev_environment/ ` **
101104 — A ` .github/codeql/codeql-config.yml ` file instructs CodeQL to skip the
Original file line number Diff line number Diff line change @@ -73,7 +73,7 @@ All code must pass:
7373- ` uv run ruff check middleware/ ` — linting
7474- ` uv run mypy middleware/ ` — static type checking
7575- ` uv run pylint middleware/ ` — style and code smells
76- - ` uv run bandit -r middleware/ -c .bandit -ll ` — security
76+ - ` uv run bandit -r middleware/ -c .bandit ` — security (low findings logged, medium/high fail)
7777
7878** Suppression comments** (` # noqa ` , ` # type: ignore ` , ` # pylint: disable ` ) are
7979a last resort. A real fix is always preferred.
You can’t perform that action at this time.
0 commit comments