[SEC]: Bandit Scan (chroma-core#1113)

## Description of changes

*Summarize the changes made by this PR.*
 - Improvements & Bug fixes
	 - Added bandit scanning for all pushes to repo

## Test plan
*How are these changes tested?*

Manual testing of the workflow

## Documentation Changes
N/A - unless we want to start a separate security section in the main
docs repo.

---------

Co-authored-by: Hammad Bashir <[email protected]>

Author: tazarov

.github/actions/bandit-scan/Dockerfile

@@ -0,0 +1,7 @@
+FROM python:3.10-alpine AS base-action
+
+RUN pip3 install -U setuptools pip bandit
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["sh","/entrypoint.sh"]

.github/actions/bandit-scan/action.yaml

@@ -0,0 +1,26 @@
+name: 'Bandit Scan'
+description: 'This action performs a security vulnerability scan of python code using bandit library.'
+inputs:
+  bandit-config:
+    description: 'Bandit configuration file'
+    required: false
+  input-dir:
+    description: 'Directory to scan'
+    required: false
+    default: '.'
+  format:
+    description: 'Output format (txt, csv, json, xml, yaml). Default: json'
+    required: false
+    default: 'json'
+  output-file:
+    description: "The report file to produce. Make sure to align your format with the file extension to avoid confusion."
+    required: false
+    default: "bandit-scan.json"
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.format }}
+    - ${{ inputs.bandit-config }}
+    - ${{ inputs.input-dir }}
+    - ${{ inputs.output-file }}

.github/actions/bandit-scan/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+CFG="-c $2"
+if [ -z "$1" ]; then
+    echo "No path to scan provided"
+    exit 1
+fi
+
+if [ -z "$2" ]; then
+    CFG = ""
+fi
+
+bandit -f "$1" ${CFG} -r "$3" -o "$4"
+exit 0 #we want to ignore the exit code of bandit (for now)

.github/workflows/python-vuln.yaml

@@ -0,0 +1,28 @@
+name: Python Vulnerability Scan
+on:
+  push:
+    branches:
+      - '*'
+      - '*/**'
+    paths:
+      - chromadb/**
+      - clients/python/**
+  workflow_dispatch:
+jobs:
+  bandit-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - uses: ./.github/actions/bandit-scan/
+        with:
+          input-dir: '.'
+          format: 'json'
+          bandit-config: 'bandit.yaml'
+          output-file: 'bandit-report.json'
+      - name: Upload Bandit Report
+        uses: actions/upload-artifact@v3
+        with:
+          name: bandit-artifact
+          path: |
+            bandit-report.json

bandit.yaml

@@ -0,0 +1,4 @@
+# FILE: bandit.yaml
+exclude_dirs: [ 'chromadb/test', 'bin', 'build', 'build', '.git', '.venv', 'venv', 'env','.github','examples','clients/js','.vscode' ]
+tests: [ ]
+skips: [ ]