Skip to content

Commit 511061c

Browse files
committed
Add bandit security scanning
Run bandit over bitmath/ and tests/ as a dedicated GitHub Actions workflow (push, pull request, weekly) and as part of make ci, so the local build catches the same issues CI does.
1 parent b6e4a24 commit 511061c

4 files changed

Lines changed: 49 additions & 3 deletions

File tree

.github/workflows/bandit.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
---
2+
name: Bandit Security Scan
3+
4+
on:
5+
push:
6+
branches: ["master"]
7+
pull_request:
8+
branches: ["master"]
9+
schedule:
10+
- cron: "0 0 * * 0"
11+
workflow_dispatch:
12+
13+
jobs:
14+
analyze:
15+
runs-on: ubuntu-latest
16+
permissions:
17+
security-events: write
18+
env:
19+
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
20+
steps:
21+
- name: Checkout code
22+
uses: actions/checkout@v6.0.2
23+
24+
- name: Perform Bandit Analysis
25+
uses: PyCQA/bandit-action@v1
26+
with:
27+
targets: "bitmath/ tests/"

CLAUDE.md

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,14 @@ Phases 1 (maintenance 1.4.0) and 2 (bitmath 2.0.0) are complete. The project:
2727
## Common Commands
2828

2929
```bash
30-
# Run the full test suite with coverage (creates venv, runs pytest + linting)
30+
# Run the full test suite with coverage (creates venv, runs pytest + linting + bandit)
3131
make ci
3232

33+
# Run security scan only
34+
make ci-bandit
35+
3336
# Run linting only
34-
ruff check bitmath/ tests/
37+
make ci-pylint
3538

3639
# Build a wheel
3740
make build
@@ -66,6 +69,14 @@ All unit values are normalized to bits internally; conversion between units happ
6669

6770
**Constants:** `NIST`, `SI`, `NIST_PREFIXES`, `SI_PREFIXES`, `ALL_UNIT_TYPES`
6871

72+
## Versioning
73+
74+
The single source of truth for the version is the `VERSION` file. `pyproject.toml` reads it dynamically via `[tool.hatch.version]` — do not edit the version in `pyproject.toml` directly. The `Makefile` also reads `VERSION` for docs, man pages, and RPM builds. To bump the version, edit `VERSION` only.
75+
76+
## Security Scanning
77+
78+
Bandit runs as part of `make ci` via the `ci-bandit` target, scanning both `bitmath/` and `tests/`. It also runs as a GitHub Actions workflow (`.github/workflows/bandit.yml`) on push/PR to master and weekly. No issues were present as of 2.0.2.
79+
6980
## Testing Notes
7081

7182
- Test runner: `pytest`

Makefile

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -216,5 +216,12 @@ ci-pylint:
216216
@echo "#################################################"
217217
. $(NAME)env3/bin/activate && pylint bitmath/__init__.py
218218

219-
ci: clean uniquetestnames virtualenv ci-list-deps ci-pycodestyle ci-pylint ci-unittests
219+
ci-bandit:
220+
@echo ""
221+
@echo "#############################################"
222+
@echo "# Running Bandit Security Scan in virtualenv"
223+
@echo "#############################################"
224+
. $(NAME)env3/bin/activate && bandit -r -v bitmath/ tests/
225+
226+
ci: clean uniquetestnames virtualenv ci-list-deps ci-pycodestyle ci-pylint ci-bandit ci-unittests
220227
:

requirements.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
bandit
12
pycodestyle
23
pylint
34
pytest

0 commit comments

Comments
 (0)