Incorporate bandit support in CI

Change-Id: I2144c284ffcfa696412fca30f59a66c54c3d1965
Story: 2005791
Task: 33564

lower-constraints.txt

@@ -2,6 +2,7 @@ alabaster==0.7.10
 appdirs==1.4.3
 Babel==2.5.3
 bashate==0.5.1
+bandit==1.1.0
 beautifulsoup4==4.6.0
 certifi==2018.1.18
 chardet==3.0.4

test-requirements.txt

@@ -9,6 +9,7 @@ oslotest>=3.2.0 # Apache-2.0
 stestr>=1.0.0 # Apache-2.0
 bashate>=0.5.1 # Apache-2.0
 flake8-import-order>=0.13 # LGPLv3
+bandit!=1.6.0,>=1.1.0,<2.0.0 # Apache-2.0
 
 # Doc requirements
 doc8>=0.6.0 # Apache-2.0

tox.ini

@@ -114,3 +114,8 @@ deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt
   -r{toxinidir}/requirements.txt
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r ironic_python_agent -x tests -n5 -ll

zuul.d/ironic-python-agent-jobs.yaml

@@ -142,3 +142,20 @@
         s-container: True
         s-object: True
         s-proxy: True
+
+- job:
+    # Security testing for known issues
+    name: ipa-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    irrelevant-files:
+      - ^test-requirements.txt$
+      - ^.*\.rst$
+      - ^doc/.*$
+      - ^ironic_python_agent/tests/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+      - ^tox.ini$

zuul.d/project.yaml

@@ -28,6 +28,8 @@
         - openstack-tox-functional:
             voting: false
         - openstack-tox-lower-constraints
+        - ipa-tox-bandit:
+            voting: false
     gate:
       queue: ironic
       jobs: