Scribd
Upload
48 views6 pages

Bandit Security Scan with Docker CI

Uploaded by

abouzawbaahack
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views6 pages

Bandit Security Scan with Docker CI

Uploaded by

abouzawbaahack
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

TP 11 : Bandit +Docker+GithubAction

1/ Architecture de TP
Hightech_IAST/
├── app/
│ └── [Link]
├── [Link]
├── .bandit
├── Dockerfile
├── [Link]
├── .github/
│ └── workflows/
│ └── [Link]
2) Exemple d'application vulnérable app/[Link]
# app/[Link]
import os
import subprocess
from flask import Flask, request
app = Flask(__name__)
@[Link]("/exec")
def exec_cmd():
# VULN : command injection via query param
cmd = [Link]("cmd", "echo hello")
[Link](cmd, shell=True)
return "done\n"
@[Link]("/read-file")
def read_file():
# VULN : path traversal possible
filename = [Link]("f", "[Link]")
with open([Link]("data", filename), "r") as fh:
return [Link](), 200
3) [Link]
Flask==2.3.2
4) Dockerfile — image d'exécution de l'app
# Dockerfile - runtime
FROM python:3.11-slim

WORKDIR /app

COPY [Link] .
RUN pip install --no-cache-dir -r [Link]

COPY app ./app

ENV FLASK_APP=[Link]
EXPOSE 5000

CMD ["python", "-m", "flask", "run", "--host=[Link]"]


6) [Link] — image dédiée au scan Bandit (réproducible dans CI)
# [Link] - image pour exécuter Bandit
FROM python:3.11-slim
WORKDIR /scan
# Installer bandit (et éventuellement d'autres outils)
RUN pip install --no-cache-dir bandit

# Copier le code source à analyser


COPY . /scan

# Par défaut, exécute bandit sur le dossier app


CMD ["bandit", "-r", "app", "-f", "txt", "-o", "/scan/bandit_report.txt", "-ll"]
7) GitHub Actions : .github/workflows/[Link]
name: Security CI (Bandit)
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

jobs:
# === approche 1 : exécuter bandit directement dans l'Action
bandit-direct:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Python


uses: actions/setup-python@v4
with:
python-version: "3.11"

- name: Install Bandit


run: python -m pip install --upgrade pip && pip install bandit

- name: Run Bandit (fail on HIGH)


# -r recursive, -ll = low level logging (show line numbers)
run: |
bandit -r app -f json -o [Link] -ll || true
# Optional: fail the job if any HIGH issues detected
if grep -q '"issue_severity": "HIGH"' [Link]; then
echo "::error ::Bandit detected HIGH severity issues. Failing job."
cat [Link]
exit 1
fi
shell: bash

- name: Upload Bandit report


uses: actions/upload-artifact@v4
with:
name: bandit-report
path: [Link]

# === approche 2 : exécuter bandit via Docker image dédiée


bandit-docker:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Build scan image


run: docker build -f [Link] -t scan-bandit:latest .

- name: Run scan container


run: docker run --rm -v ${{ [Link] }}:/scan scan-bandit:latest

- name: Upload report from workspace


uses: actions/upload-artifact@v4
with:
name: bandit-report
path: bandit_report.txt
Notes :
• bandit-direct génère [Link] et échoue si une issue HIGH est
trouvée (exemple de politique).
• bandit-docker illustre la reproductibilité via image de scan.
8) README minimal (instructions pour les étudiants)
# TP Bandit + Docker + GitHub Actions
1. Lancer l'app (optionnel) :
python -m venv .venv
source .venv/bin/activate
pip install -r [Link]
python -m flask run
2. Lancer Bandit localement :
pip install bandit
bandit -r app -ll
3. Lancer le conteneur scan :

docker build -f [Link] -t scan-bandit .


docker run --rm -v $(pwd):/scan scan-bandit
cat bandit_report.txt

You might also like