pre-commit: Integrate bandit

Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
Change-Id: I8ce1724bb1f7eab88204d350616bf59d910ea57d
This commit is contained in:
Takashi Kajinami 2024-02-02 01:55:23 +09:00
parent 9744fe5734
commit 1a7af1289b
3 changed files with 11 additions and 16 deletions

View File

@ -23,3 +23,12 @@ repos:
hooks:
- id: hacking
additional_dependencies: []
- repo: https://github.com/PyCQA/bandit
rev: 1.7.6
hooks:
- id: bandit
# B105-B107: hardcoded password checks - likely to generate false
# positives in a gate environment
# B607: start process with a partial path - this should be a project
# level decision
args: ['-x', 'tests', '-s', 'B105,B106,B107,B607']

View File

@ -7,7 +7,4 @@ stestr>=2.0.0 # Apache-2.0
fixtures>=3.0.0 # Apache-2.0/BSD
testscenarios>=0.4 # Apache-2.0/BSD
testtools>=2.2.0 # MIT
bandit>=1.6.0,<1.7.0 # Apache-2.0
pifpaf>=0.10.0 # Apache-2.0
pre-commit>=2.6.0 # MIT

15
tox.ini
View File

@ -16,21 +16,10 @@ deps =
commands = stestr run --slowest --concurrency=1 {posargs}
[testenv:pep8]
deps =
pre-commit
commands =
pre-commit run -a
bandit -r castellan -x tests -s B105,B106,B107,B607
[testenv:bandit]
# This command runs the bandit security linter against the castellan
# codebase minus the tests directory. Some tests are being excluded to
# reduce the number of positives before a team inspection, and to ensure a
# passing gate job for initial addition. The excluded tests are:
# B105-B107: hardcoded password checks - likely to generate false positives
# in a gate environment
# B607: start process with a partial path - this should be a project level
# decision
commands =
bandit -r castellan -x tests -s B105,B106,B107,B607
[testenv:venv]
commands = {posargs}