Bandit

[oliver-sanders]

built on #4343

Add the Bandit static security analyser to GH actions.

[oliver-sanders]

☝️

[datamel]

Maybe it would be worth adding ZAP (https://www.zaproxy.org/) to the UI for dynamic OWASP analysis? From the looks of things its a little bit of an effort to get setup but I could check it out next training day if it would be helpful.

[kinow]

Maybe it would be worth adding ZAP (https://www.zaproxy.org/) to the UI for dynamic OWASP analysis? From the looks of things its a little bit of an effort to get setup but I could check it out next training day if it would be helpful.

I used it with Jenkins, we had it enabled for a Java project at NIWA for a while. Works well, but requires devs to create the tests and update when necessary, but it was ~4 years ago so things might be simpler (there might even exist a GH actions out there?). I'm keen to use it if others want it too.

[oliver-sanders]

Yeah, create a cylc-ui/uis issue for it.

It might be possible to automate ZAP tests with Cypress which would make the process less manual (although it looks very fiddly at the moment).

[datamel]

Yeah, create a cylc-ui/uis issue for it.

It might be possible to automate ZAP tests with Cypress which would make the process less manual (although it looks very fiddly at the moment).

Will do, I know the implementation of it is not necessarily a quick job but possibly worth the time investment. I'll raise an issue.

[oliver-sanders]

Rebased, note the flake8 tests will fail.

[hjoliver]

Seems to be some genuine functional test failures.

[oliver-sanders]

Found a rogue quote in an SQL statement, fixed and rebased, 🤞.

[oliver-sanders]

Only running bandit on Python 3.7 because of PyCQA/bandit#658

[datamel]

Nice to have. Thanks @oliver-sanders.
I have read the code and checked out the branch, bandit is running smoothly locally and remotely.