482dbcac29
This change adds a zuul check job to export any templated python contained in the helm charts and scan it with bandit for any potential security flaws. This also adds two nosec comments on the instances of subprocess used as they currently do not appear to be malicious, as well as changing the endpoint_update python code to prevent sql injection, which satisfies bandit code B608. Change-Id: I2212d26514c3510353d16a4592893dd2e85cb369
29 lines
773 B
YAML
29 lines
773 B
YAML
- hosts: all
|
|
name: openstack-helm-bandit
|
|
tasks:
|
|
|
|
- name: Install Required Packages and Setup Host
|
|
shell: |
|
|
set -xe;
|
|
./tools/deployment/common/install-packages.sh
|
|
./tools/deployment/common/deploy-k8s.sh
|
|
sudo -H pip install yq bandit
|
|
environment:
|
|
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
|
|
args:
|
|
chdir: "{{ zuul.project.src_dir }}"
|
|
|
|
- name: Template out python files
|
|
shell: |
|
|
set -xe;
|
|
make all
|
|
mkdir -p python-files
|
|
./tools/gate/files/template-python.sh
|
|
args:
|
|
chdir: "{{ zuul.project.src_dir }}"
|
|
|
|
- name: Run bandit against python files
|
|
shell: bandit -r ./python-files
|
|
args:
|
|
chdir: "{{ zuul.project.src_dir }}"
|