From 8b6210eedbeefd7836655b7d8479cbcce04e815d Mon Sep 17 00:00:00 2001
From: Ryan Ahearn <ryan.ahearn@gsa.gov>
Date: Fri, 26 Aug 2022 14:12:26 +0000
Subject: [PATCH] Add python static scan task

---
 .github/workflows/checks.yml       | 10 ++++++++++
 .github/workflows/daily_checks.yml | 10 ++++++++++
 Makefile                           |  5 +++++
 3 files changed, 25 insertions(+)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 3c75f23c2..0fefaafbc 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -52,3 +52,13 @@ jobs:
         ignore-vulns: PYSEC-2022-237
     - name: Run npm audit
       run: make npm-audit
+
+  static-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/setup-project
+      - name: Install bandit
+        run: pip install bandit
+      - name: Run scan
+        run: bandit -r app/ --confidence-level medium
diff --git a/.github/workflows/daily_checks.yml b/.github/workflows/daily_checks.yml
index 79e8e4caf..b1fd14fab 100644
--- a/.github/workflows/daily_checks.yml
+++ b/.github/workflows/daily_checks.yml
@@ -42,3 +42,13 @@ jobs:
         ignore-vulns: PYSEC-2022-237
     - name: Run npm audit
       run: make npm-audit
+
+  static-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/setup-project
+      - name: Install bandit
+        run: pip install bandit
+      - name: Run scan
+        run: bandit -r app/ --confidence-level medium
diff --git a/Makefile b/Makefile
index 49070541c..d5e25790a 100644
--- a/Makefile
+++ b/Makefile
@@ -81,6 +81,11 @@ pip-audit:
 .PHONY: audit
 audit: npm-audit pip-audit
 
+.PHONY: static-scan
+static-scan:
+	pip install bandit
+	bandit -r app/
+
 .PHONY: clean
 clean:
 	rm -rf node_modules cache target ${CF_MANIFEST_PATH}