diff --git a/lower-constraints.txt b/lower-constraints.txt index 0f130f39d..82b98089e 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -2,6 +2,7 @@ alabaster==0.7.10 appdirs==1.4.3 Babel==2.5.3 bashate==0.5.1 +bandit==1.1.0 beautifulsoup4==4.6.0 certifi==2018.1.18 chardet==3.0.4 diff --git a/test-requirements.txt b/test-requirements.txt index ffa5319b8..25c8aaaba 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -9,6 +9,7 @@ oslotest>=3.2.0 # Apache-2.0 stestr>=1.0.0 # Apache-2.0 bashate>=0.5.1 # Apache-2.0 flake8-import-order>=0.13 # LGPLv3 +bandit!=1.6.0,>=1.1.0,<2.0.0 # Apache-2.0 # Doc requirements doc8>=0.6.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index 87755c919..954801e18 100644 --- a/tox.ini +++ b/tox.ini @@ -114,3 +114,8 @@ deps = -c{toxinidir}/lower-constraints.txt -r{toxinidir}/test-requirements.txt -r{toxinidir}/requirements.txt + +[testenv:bandit] +basepython = python3 +deps = -r{toxinidir}/test-requirements.txt +commands = bandit -r ironic_python_agent -x tests -n5 -ll diff --git a/zuul.d/ironic-python-agent-jobs.yaml b/zuul.d/ironic-python-agent-jobs.yaml index 138563fe5..c4d2169e6 100644 --- a/zuul.d/ironic-python-agent-jobs.yaml +++ b/zuul.d/ironic-python-agent-jobs.yaml @@ -142,3 +142,20 @@ s-container: True s-object: True s-proxy: True + +- job: + # Security testing for known issues + name: ipa-tox-bandit + parent: openstack-tox + timeout: 2400 + vars: + tox_envlist: bandit + irrelevant-files: + - ^test-requirements.txt$ + - ^.*\.rst$ + - ^doc/.*$ + - ^ironic_python_agent/tests/.*$ + - ^releasenotes/.*$ + - ^setup.cfg$ + - ^tools/.*$ + - ^tox.ini$ diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index aa3f1f4aa..9ea3c1d2f 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -28,6 +28,8 @@ - openstack-tox-functional: voting: false - openstack-tox-lower-constraints + - ipa-tox-bandit: + voting: false gate: queue: ironic jobs: