Added CodeQL and Bandit security checks as GitHub Actions (#3625)

* Added CodeQL and Bandit security checks as GitHub Actions * Nit fix on defusedxml.ElementTree * Remove defusedxml as hard requirement * Changed diffusedxml/xml importing * Fix compilation * Removed Bandit specific changes Co-authored-by: Nikita Shulga <nikita.shulga@gmail.com> Co-authored-by: Nicolas Hug <nicolashug@fb.com> Co-authored-by: Francisco Massa <fvsmassa@gmail.com>

Added CodeQL and Bandit security checks as GitHub Actions (#3625)
* Added CodeQL and Bandit security checks as GitHub Actions * Nit fix on defusedxml.ElementTree * Remove defusedxml as hard requirement * Changed diffusedxml/xml importing * Fix compilation * Removed Bandit specific changes Co-authored-by: Nikita Shulga <nikita.shulga@gmail.com> Co-authored-by: Nicolas Hug <nicolashug@fb.com> Co-authored-by: Francisco Massa <fvsmassa@gmail.com>
9e5edbd5 · Mustafa Bal · GitHub · d9ec5511 · 9e5edbd5 · 9e5edbd5
Unverified Commit 9e5edbd5 authored Apr 07, 2021 by Mustafa Bal Committed by GitHub Apr 07, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 0 deletions

.github/workflows/bandit.yml .github/workflows/bandit.yml +23 -0

.github/workflows/codeql.yml .github/workflows/codeql.yml +43 -0

No files found.
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
+# GitHub Actions Bandit Workflow
+name: Bandit
+on:
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      # Task will fail if any high-severity issues are found
+      # Ignoring submodules
+      - name: Run Bandit Security Analysis
+        run: |
+              python -m pip install bandit
+              python -m bandit -r . -x ./third_party -lll
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
+# GitHub Actions CodeQL Workflow
+name: CodeQL
+on:
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: python, cpp
+      - name: Install Ninja
+        run: |
+              sudo apt-get update -y
+              sudo apt-get install -y ninja-build
+      - name: Update submodules
+        run: git submodule update --init --recursive
+      - name: Install Torch
+        run: |
+              python -m pip install cmake
+              python -m pip install torch==1.8.1+cpu -f https://download.pytorch.org/whl/torch_stable.html
+              sudo ln -s /usr/bin/ninja /usr/bin/ninja-build
+      - name: Build TorchVision
+        run: python setup.py develop --user
+      # If any code scanning alerts are found, they will be under Security -> CodeQL
+      # Link: https://github.com/pytorch/vision/security/code-scanning
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1