config file as described in README.rst does not work

[davidak]

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

1. create .bandit file with content:

[bandit]
tests: B101,B102,B301

2. run bandit -c .bandit -r module/
3. get error: [main] ERROR .bandit : Error parsing file.

Expected behavior working as described in readme

Bandit version

bandit 1.4.0

Additional context Docs say it should be YAML and not INI. https://bandit.readthedocs.io/en/latest/config.html

[lukehinds]

want to take this one on @davidak ?

[davidak]

https://github.com/PyCQA/bandit/issues/318 is needed to use a sane name. I might find the time to do it then, but feel free to do it yourself.

[lassejar]

This bug seems to be caused by inconsistent behavior of Bandit (and incomplete documentation).

If you use .bandit file, you need to start the file with text “[bandit]” and then add the arguments. For example:

[bandit]
exclude: \tests,\doc,\misc
tests: B101,B102,B104 

But if you want to use separate config file with "–configfile" argument on the command line, you have to remove the text “[bandit]”, replace “exclude” with “exclude_dirs” and add the values inside square brackets like this:

exclude_dirs: [\tests,\doc,\misc]
tests: [B101,B102,B104]

[diegovalenzuelaiturra]

Hi, the following may be helpful to configure bandit, for example, to avoid raising B101 assert_used warnings on python tests

• https://github.com/PyCQA/bandit/issues/603#issuecomment-971057519

[CTimmerman]

https://bandit.readthedocs.io/en/latest/config.html says .bandit should be an INI file (which uses = instead of :). The only thing incorrect is that it implies you don't need to use -c .bandit because that's --ini .bandit and not needed when using -r which is false here. I suggest Bandit prefer .bandit, pyproject.toml, and setup.cfg by default, overridable with arguments like -c, and to replace --ini with -c or --config (aka --configfile).