zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

211
skills/appsec/sast-bandit/assets/bandit_config.yaml Normal file
View File

@@ -0,0 +1,211 @@
# Bandit Configuration File
# Production-ready configuration for Python security scanning
# Directories to exclude from scanning
exclude_dirs:
# Python environments
- /venv/
- /.venv/
- /env/
- /.env/
- /virtualenv/
- /.virtualenv/
- /site-packages/
- /dist-packages/
# Testing and build artifacts
- /tests/
- /test/
- /.pytest_cache/
- /.tox/
- /build/
- /dist/
- /.eggs/
- /*.egg-info/
# Version control and IDE
- /.git/
- /.svn/
- /.hg/
- /.idea/
- /.vscode/
- /__pycache__/
# Node modules and other language dependencies
- /node_modules/
- /vendor/
# Documentation and examples
- /docs/
- /examples/
# Tests to skip (use sparingly and document reasons)
skips:
# B101: Test for use of assert
# Commonly safe in test files and development code
# Consider keeping this enabled for production code
# - B101
# B311: Standard pseudo-random generators
# Only skip if using for non-security purposes (e.g., data generation)
# NEVER skip for security tokens, session IDs, or cryptographic operations
# - B311
# B404-B412: Import checks
# Skip only if you've reviewed and whitelisted specific imports
# - B404 # subprocess import
# - B405 # xml.etree.cElementTree import
# - B406 # xml.etree.ElementTree import
# - B407 # xml.expat import
# - B408 # xml.dom.minidom import
# - B409 # xml.dom.pulldom import
# - B410 # lxml import
# - B411 # xml.sax import
# - B412 # httpoxy
# Specific tests to run (comment out to run all tests)
# Use this to focus on specific security checks
# tests:
# - B201 # Flask app run with debug=True
# - B301 # Pickle usage
# - B302 # Use of insecure MD2, MD4, MD5, or SHA1 hash
# - B303 # Use of insecure MD2, MD4, MD5, or SHA1 hash
# - B304 # Use of insecure cipher mode
# - B305 # Use of insecure cipher mode
# - B306 # Use of mktemp
# - B307 # Use of eval
# - B308 # Use of mark_safe
# - B310 # Audit URL open for permitted schemes
# - B311 # Standard pseudo-random generators
# - B313 # XML bad element tree
# - B314 # XML bad element tree (lxml)
# - B315 # XML bad element tree (expat)
# - B316 # XML bad element tree (sax)
# - B317 # XML bad element tree (expatreader)
# - B318 # XML bad element tree (expatbuilder)
# - B319 # XML bad element tree (xmlrpc)
# - B320 # XML bad element tree (pulldom)
# - B321 # FTP-related functions
# - B323 # Unverified context
# - B324 # Use of insecure hash functions
# - B601 # Paramiko call with shell=True
# - B602 # subprocess call with shell=True
# - B603 # subprocess without shell equals true
# - B604 # Function call with shell=True
# - B605 # Starting a process with a shell
# - B606 # Starting a process without shell
# - B607 # Starting a process with a partial path
# - B608 # Possible SQL injection
# - B609 # Use of wildcard injection
# - B610 # SQL injection via Django raw SQL
# - B611 # SQL injection via Django extra
# - B701 # jinja2 autoescape false
# - B702 # Test for use of mako templates
# - B703 # Django autoescape false
# Plugin configuration
# Customize individual plugin behaviors
# Shell injection plugin configuration
shell_injection:
# Additional commands to check for shell injection
# Default: ['os.system', 'subprocess.call', 'subprocess.Popen']
no_shell:
- os.system
- subprocess.call
- subprocess.Popen
- subprocess.run
# Hard-coded password plugin configuration
hardcoded_tmp_directory:
# Directories considered safe for temporary files
# tmp_dirs:
# - /tmp
# - /var/tmp
# Output configuration (for reference - set via CLI)
# These are applied at runtime, not in config file
# output_format: json
# output_file: bandit-report.json
# verbose: true
# level: LOW # Report severity: LOW, MEDIUM, HIGH
# confidence: LOW # Report confidence: LOW, MEDIUM, HIGH
# Severity and confidence thresholds
# LOW: Report all issues (default)
# MEDIUM: Report MEDIUM and HIGH severity issues only
# HIGH: Report only HIGH severity issues
# Example usage commands:
#
# Basic scan:
# bandit -r . -c .bandit.yaml
#
# Scan with MEDIUM and HIGH severity only:
# bandit -r . -c .bandit.yaml -ll
#
# Scan with HIGH confidence only:
# bandit -r . -c .bandit.yaml -i
#
# Generate JSON report:
# bandit -r . -c .bandit.yaml -f json -o bandit-report.json
#
# Scan with enhanced analyzer script:
# python scripts/bandit_analyzer.py . --config .bandit.yaml --html report.html
# Progressive security hardening approach:
#
# Phase 1 - Baseline scan (all findings):
# bandit -r . -c .bandit.yaml
#
# Phase 2 - Block CRITICAL (HIGH severity + HIGH confidence):
# bandit -r . -c .bandit.yaml -ll -i
#
# Phase 3 - Block HIGH severity:
# bandit -r . -c .bandit.yaml -ll
#
# Phase 4 - Block MEDIUM and above:
# bandit -r . -c .bandit.yaml -l
#
# Phase 5 - Report all findings:
# bandit -r . -c .bandit.yaml
# Integration with CI/CD:
#
# GitHub Actions:
# - name: Run Bandit
# run: |
# pip install bandit
# bandit -r . -c .bandit.yaml -ll -f json -o bandit-report.json
# bandit -r . -c .bandit.yaml -ll || exit 1
#
# GitLab CI:
# bandit:
# image: python:3.11
# script:
# - pip install bandit
# - bandit -r . -c .bandit.yaml -ll
# allow_failure: false
#
# Jenkins:
# stage('Security Scan') {
# steps {
# sh 'pip install bandit'
# sh 'bandit -r . -c .bandit.yaml -ll -f json -o bandit-report.json'
# }
# }
# False positive handling:
#
# Inline suppression (use sparingly and document):
# import pickle # nosec B403 - Internal use only, not exposed to user input
#
# Line-specific suppression:
# result = eval(safe_expression) # nosec B307
#
# Block suppression:
# # nosec
# import xml.etree.ElementTree as ET
#
# NOTE: Always document WHY you're suppressing a finding
# Security team should review all nosec comments during code review