Skip to content

Update security-scan.yml#74

Merged
ben-AI-cybersec merged 1 commit intoRedback-Operations:mainfrom
jd-deakin:patch-1
Sep 17, 2025
Merged

Update security-scan.yml#74
ben-AI-cybersec merged 1 commit intoRedback-Operations:mainfrom
jd-deakin:patch-1

Conversation

@jd-deakin
Copy link
Contributor

@jd-deakin jd-deakin commented Sep 17, 2025

Updated to new scanner version as tested on other repos

@jd-deakin
Update security-scan.yml
4ebb7ea 
Updated to new scanner version as tested on other repos
@jd-deakin jd-deakin requested review from a team as code owners September 17, 2025 08:50
ben-AI-cybersec
ben-AI-cybersec approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@ben-AI-cybersec ben-AI-cybersec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rock solid

@ben-AI-cybersec ben-AI-cybersec merged commit dbd7ea6 into Redback-Operations:main Sep 17, 2025
1 check passed
@github-actions
Copy link

github-actions bot commented Sep 17, 2025

🔒 Security Scan Results

🔒 Security Scan Results
=========================

Bandit Scan Results:
-------------------
Run started:2025-09-17 08:50:54.045418

Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./CVE-Hunter T1_2025/hunter.py:1:0
1	import subprocess
2	import socket
3	import requests

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./CVE-Hunter T1_2025/hunter.py:9:17
8	    try:
9	        output = subprocess.check_output(command_list, stderr=subprocess.DEVNULL)
10	        return output.decode().strip()

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:7:0
6	import sys
7	import subprocess
8	from datetime import datetime

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:49:8
48	    try:
49	        subprocess.run(rsync_command, check=True)
50	        with open(last_snapshot_record, 'w') as f:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:64:12
63	        try:
64	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
65	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript.py:64:12
63	        try:
64	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
65	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:8:0
7	import shutil
8	import subprocess
9	from datetime import datetime

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:62:8
61	    try:
62	        subprocess.run(rsync_command, check=True)
63	        with open(last_snapshot_record, 'w') as f:

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:75:12
74	        try:
75	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
76	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/Backupscript_v2.py:75:12
74	        try:
75	            subprocess.run(["rm", "-rf", oldest_snapshot_path], check=True)
76	            print(f"Deleted oldest snapshot: {oldest_snapshot_path}")

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'Vumo3117'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./T1_2025/infra/backups/bak/controller/cron-scripts/email_notify.py:8:22
7	    sender_email = '[email protected]'  # Your email address
8	    sender_password = 'Vumo3117'  # App password if using Gmail with 2FA
9	

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./T2_2024/advanced_security_scan.py:7:0
6	from bandit.core import manager as bandit_manager
7	import subprocess
8	

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b607_start_process_with_partial_path.html
   Location: ./T2_2024/advanced_security_scan.py:98:17
97	        logging.info("Running Semgrep analysis...")
98	        result = subprocess.run(['semgrep', '--config', 'auto', self.file_path], capture_output=True, text=True)
99	        if result.returncode != 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./T2_2024/advanced_security_scan.py:98:17
97	        logging.info("Running Semgrep analysis...")
98	        result = subprocess.run(['semgrep', '--config', 'auto', self.file_path], capture_output=True, text=True)
99	        if result.returncode != 0:

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'django-insecure-p+o(#sfioy$e*&gh_uw7dhoi8swlc0@xc3uu^$qikr80w)*z9d'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b105_hardcoded_password_string.html
   Location: ./T3 2023/Environment Backend/backend_server/settings.py:23:13
22	# SECURITY WARNING: keep the secret key used in production secret!
23	SECRET_KEY = 'django-insecure-p+o(#sfioy$e*&gh_uw7dhoi8swlc0@xc3uu^$qikr80w)*z9d'
24	

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b608_hardcoded_sql_expressions.html
   Location: ./T3 2024/adaptive iam/Azure function/function_app.py:42:16
41	        # Fetch user data from the database
42	        query = f"SELECT * FROM c WHERE c.email = '{email}'"
43	        users = list(users_container.query_items(query=query, enable_cross_partition_query=True))

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b608_hardcoded_sql_expressions.html
   Location: ./T3 2024/adaptive iam/Azure function/function_app.py:65:22
64	        # Fetch roles
65	        roles_query = f"SELECT * FROM c WHERE c.id IN ('{','.join(user['roles'])}')"
66	        roles = list(roles_container.query_items(query=roles_query, enable_cross_partition_query=True))

--------------------------------------------------
>> Issue: [B113:request_without_timeout] Call to requests without timeout
   Severity: Medium   Confidence: Low
   CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html)
   More Info: https://bandit.readthedocs.io/en/1.8.6/plugins/b113_request_without_timeout.html
   Location: ./T3 2024/adaptive iam/app.py:139:19
138	        url = request.form['url']
139	        response = requests.get(url)
140	        if response.status_code == 200:

--------------------------------------------------

Code scanned:
	Total lines of code: 1573
	Total lines skipped (#nosec): 1
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 2

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 15
		Medium: 3
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 3
		Medium: 2
		High: 13
Files skipped (1):
	./T1_2025/infra/backups/bak/controller/backend/v1.0.0/endpoints/register.py (syntax error while parsing AST from file)

No critical security issues detected.

The code has passed all critical security checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ben-AI-cybersec ben-AI-cybersec ben-AI-cybersec approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jd-deakin @ben-AI-cybersec