From 1a7af1289b7c8849f9c2334f387ad2e07db05e78 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 2 Feb 2024 01:55:23 +0900 Subject: [PATCH] pre-commit: Integrate bandit Co-Authored-By: Stephen Finucane Change-Id: I8ce1724bb1f7eab88204d350616bf59d910ea57d --- .pre-commit-config.yaml | 9 +++++++++ test-requirements.txt | 3 --- tox.ini | 15 ++------------- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 07917d34..c9b5eb4e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -23,3 +23,12 @@ repos: hooks: - id: hacking additional_dependencies: [] + - repo: https://github.com/PyCQA/bandit + rev: 1.7.6 + hooks: + - id: bandit + # B105-B107: hardcoded password checks - likely to generate false + # positives in a gate environment + # B607: start process with a partial path - this should be a project + # level decision + args: ['-x', 'tests', '-s', 'B105,B106,B107,B607'] diff --git a/test-requirements.txt b/test-requirements.txt index 5be59ca5..9595bf16 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -7,7 +7,4 @@ stestr>=2.0.0 # Apache-2.0 fixtures>=3.0.0 # Apache-2.0/BSD testscenarios>=0.4 # Apache-2.0/BSD testtools>=2.2.0 # MIT -bandit>=1.6.0,<1.7.0 # Apache-2.0 pifpaf>=0.10.0 # Apache-2.0 - -pre-commit>=2.6.0 # MIT diff --git a/tox.ini b/tox.ini index a089625f..520b988b 100644 --- a/tox.ini +++ b/tox.ini @@ -16,21 +16,10 @@ deps = commands = stestr run --slowest --concurrency=1 {posargs} [testenv:pep8] +deps = + pre-commit commands = pre-commit run -a - bandit -r castellan -x tests -s B105,B106,B107,B607 - -[testenv:bandit] -# This command runs the bandit security linter against the castellan -# codebase minus the tests directory. Some tests are being excluded to -# reduce the number of positives before a team inspection, and to ensure a -# passing gate job for initial addition. The excluded tests are: -# B105-B107: hardcoded password checks - likely to generate false positives -# in a gate environment -# B607: start process with a partial path - this should be a project level -# decision -commands = - bandit -r castellan -x tests -s B105,B106,B107,B607 [testenv:venv] commands = {posargs}