Skip to content

feat: Add Bandit pre-commit hook + fix XML parsing vulnerability (#2417) #2421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sydseter merged 2 commits into from
Feb 27, 2026
Merged

feat: Add Bandit pre-commit hook + fix XML parsing vulnerability (#2417) #2421

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2af9bae
feat: Add bandit security pre-commit hook and documentation
khushal-winner Feb 27, 2026
cba5898
Add pre-commit installation steps to README for bandit setup
khushal-winner Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 25 additions & 17 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,26 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 3.0.0
hooks:
- id: shellcheck
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/pylint-dev/pylint
rev: v2.17.2
hooks:
- id: pylint
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 3.0.0
hooks:
- id: shellcheck
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/pylint-dev/pylint
rev: v2.17.2
hooks:
- id: pylint
- repo: https://github.com/PyCQA/bandit
rev: 1.9.4
hooks:
- id: bandit
name: "Bandit security scan (Python scripts)"
args: ["-r", "--severity-level", "medium", "--confidence-level", "high"]
files: ^scripts/.*\.py$
exclude: ^tests/
16 changes: 16 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,22 @@ Please read [README.md](./scripts/README.md)

Please read [README.md](./scripts/README.md)

### Security Scanning

First time setup:
```bash
pip install pre-commit
pre-commit install
```

A Bandit pre-commit hook scans Python scripts for security issues on commit.
It runs automatically via pre-commit (medium severity, high confidence).

To run manually:
```bash
pre-commit run bandit --all-files
```

### Building and Deploying the Cornucopia website

https://cornucopia.owasp.org contains the card browser for each of the cards in the cornucopia suits together with the taxonomy and in depth explaination for each of the cards in the suits.
Expand Down
3 changes: 2 additions & 1 deletion scripts/convert.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import yaml
import zipfile
import xml.etree.ElementTree as ElTree
from defusedxml import ElementTree as DefusedElTree
from typing import Any, Dict, List, Tuple, cast
from operator import itemgetter
from itertools import groupby
Expand Down Expand Up @@ -1126,7 +1127,7 @@ def _find_xml_elements(tree: Any) -> List[ElTree.Element]:
def replace_text_in_xml_file(filename: str, replacement_values: List[Tuple[str, str]]) -> None:
logging.debug(f" --- starting xml_replace for {filename}")
try:
tree = ElTree.parse(filename)
tree = DefusedElTree.parse(filename)
except Exception as e:
logging.error(f"Failed to parse XML file {filename}: {e}")
return
Expand Down
Loading