From 5d3bd4106de1f42bd5450d78a6b56e86d5228053 Mon Sep 17 00:00:00 2001 From: Pymetheus Date: Tue, 16 Jun 2026 20:06:36 +0200 Subject: [PATCH] ci: allow Snyk errors; use Bandit pyproject config Make CI resilient to Snyk code test failures by adding continue-on-error: true to the Snyk step so the workflow won't fail on Snyk issues. Also update the Bandit invocation to load configuration from pyproject.toml (-c pyproject.toml) when generating the JSON report. --- .github/workflows/security.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 1a8b8fb..c4d619d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -56,6 +56,7 @@ jobs: run: snyk code test --sarif > snyk-code.sarif env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + continue-on-error: true - name: Upload SARIF as build artifact uses: actions/upload-artifact@v7 @@ -98,7 +99,7 @@ jobs: uv sync - name: Run Bandit security linter - run: uv run bandit -r src/ -f json -o bandit-report.json + run: uv run bandit -r src/ -c pyproject.toml -f json -o bandit-report.json - name: Upload Bandit results if: always()