UNCLASSIFIED - NO CUI

Skip to content

Added bandit to the ironbank-pipeline pipeline and mitigated 2 high severity bandit findings.

Jeffrey Wuebbles requested to merge 841-add-bandit-to-pipeline into master

Description

Issue: https://repo1.dso.mil/ironbank-tools/ironbank-pipeline/-/issues/841

  • Bandit has been added to the ironbank-pipeline pipeline.
  • It exits with 1 if there are any findings.
    • This causes the job to fail, so the bandit job is set to allow to fail for now while we work on mitigating the findings.
  • There were 2 high findings that were mitigated in this MR.
  • The bandit job also generates a report artifact.
  • The following jobs have been pulled into one stage called "code-check": bandit, format, lint, trufflehog, unit-testing.

Risk

  • Setting autoescape=True may cause issues where these scripts are used.

Rollback Plan

  • Remove autoescape=True from kickoff.py and notifier.py

Testing

  • To run the bandit job locally run the command make run_bandit.

Closes #841

Edited by Jeffrey Wuebbles

Merge request reports

UNCLASSIFIED - NO CUI