feat: Add bandit ci pipeline (#1200)

* feat: Add bandit ci pipeline * feat: add useforsecurty false for bandit pipeline * feat: Add report only for High severity issues
2025-12-15 20:08:29 +00:00 · 2024-08-15 18:19:57 -03:00
parent 92a77e5cac
commit d0707fac91
5 changed files with 29 additions and 3 deletions
--- a/.github/workflows/security-checker.yml
+++ b/.github/workflows/security-checker.yml
@@ -0,0 +1,23 @@
+name: Security Checker
+
+on: [pull_request]
+
+jobs:
+  security-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.11.9"
+
+      - name: Install dependencies
+        run: pip install bandit
+
+      - name: Run Bandit
+        run: bandit -c pyproject.toml -r src/ -lll
+
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -62,6 +62,9 @@ ignore_missing_imports = true
 disable_error_code = 'import-untyped'
 exclude = ["cli/templates"]

+[tool.bandit]
+exclude_dirs = ["src/crewai/cli/templates"]
+
 [build-system]
 requires = ["poetry-core"]
 build-backend = "poetry.core.masonry.api"
--- a/src/crewai/agents/agent_builder/base_agent.py
+++ b/src/crewai/agents/agent_builder/base_agent.py
@@ -170,7 +170,7 @@ class BaseAgent(ABC, BaseModel):
    @property
    def key(self):
        source = [self.role, self.goal, self.backstory]
-        return md5("|".join(source).encode()).hexdigest()
+        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()

    @abstractmethod
    def execute_task(
--- a/src/crewai/crew.py
+++ b/src/crewai/crew.py
@@ -363,7 +363,7 @@ class Crew(BaseModel):
        source = [agent.key for agent in self.agents] + [
            task.key for task in self.tasks
        ]
-        return md5("|".join(source).encode()).hexdigest()
+        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()

    def _setup_from_config(self):
        assert self.config is not None, "Config should not be None."
--- a/src/crewai/task.py
+++ b/src/crewai/task.py
@@ -185,7 +185,7 @@ class Task(BaseModel):
        expected_output = self._original_expected_output or self.expected_output
        source = [description, expected_output]

-        return md5("|".join(source).encode()).hexdigest()
+        return md5("|".join(source).encode(), usedforsecurity=False).hexdigest()

    def execute_async(
        self,