It will soon be possible (the functionality is currently in beta) to integrate the results from third party static code analysis tools with GitHub repositories. You could for example continuously run Bandit on Python projects, and let the tool create security issues in your project automatically.
This can be done by uploading the results from the scanner in the SARIF format, using a special GitHub action. For Bandit, we can utilise a separate formatter package to have the results formatted in this way.
Install Bandit and the formatter with pip:
$ pip install bandit bandit-sarif-formatterRun Bandit, and save the results in SARIF format:
$ bandit -r . --format sarif --output results.sarifUpload the results to GitHub (this makes the results available in the GitHub UI):
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
That’s all there is to it. The integration seems pretty well done, and I do expect more static security scanners to add support for SARIF formatting moving forward.
dhk 