CycloneDX · jkowalleck · Oct 25, 2023 · Oct 25, 2023
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -98,6 +98,30 @@ jobs:
       - name: Run tox
         run: poetry run tox r -e mypy-${{ matrix.toxenv-factor }} -s false
 
+  security-issues:
+    name: find Security Issues
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v8
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e bandit -s false
+
   build-and-test:
     name: Test (${{ matrix.os }} py${{ matrix.python-version }} ${{ matrix.toxenv-factor }})
     runs-on: ${{ matrix.os }}

diff --git a/bandit.yml b/bandit.yml
@@ -0,0 +1,9 @@
+# https://bandit.readthedocs.io
+# filename must be like this, so codacy can pick it up: https://github.com/codacy/codacy-bandit/blob/master/src/main/scala/codacy/bandit/Bandit.scala#L35C49-L35C59
+
+exclude_dirs:
+  - docs
+  - .venv
+
+skips:
+  - B101
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -61,6 +61,7 @@ flake8-isort = "6.0.0"
 isort = "5.12.0"
 autopep8 = "2.0.4"
 mypy = "1.5.1"
+bandit = "1.7.5"
 tox = "4.11.3"
 # `types-toml` need to stay in sync with version of `toml`
 types-toml = "^0.10.0"

diff --git a/tests/integration/test_can_call_module.py b/tests/integration/test_can_call_module.py
@@ -17,7 +17,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
-import subprocess
+import subprocess  # nosec B404
 import sys
 from unittest import TestCase
 
@@ -31,10 +31,10 @@ def test_callable_as_module(self) -> None:
 
         # Test whether the call passed, is fair enough for now.
         # Additional tests may come later, to check output etc.
-        ran = subprocess.run(
+        ran = subprocess.run(  # nosec B603
             args,
             stdout=subprocess.PIPE, stderr=subprocess.PIPE,
-            shell=False,
+            shell=False
         )
 
         self.assertEqual(0, ran.returncode, msg='subprocess returned unexpected non-zero\n'

diff --git a/tox.ini b/tox.ini
@@ -9,6 +9,7 @@ envlist =
     flake8
     mypy-{locked,lowest}
     py{311,310,39,38}-{locked,lowest}
+    bandit
 skip_missing_interpreters = True
 usedevelop = False
 download = False
@@ -37,3 +38,7 @@ commands =
 skip_install = True
 commands =
     poetry run flake8 cyclonedx_py/ tests/
+
+[testenv:bandit]
+commands =
+    poetry run bandit -c bandit.yml -v -r cyclonedx_py tests