bandit
bandit copied to clipboard
PyCQA
.bandit ignored for single files
When doing a single file, bandit doesn't use the .bandit file in the directory. If it's agreed that it should work like this, I'm happy to do a PR to fix it.
With a config file tests/.bandit, running
bandit -r tests/
has different results than
bandit -r tests/test_cli.py
Expected behavior I would expect bandit to search each directory to root for a .bandit file and apply the first found to the test run.
Bandit version
bandit 1.4.0
Bandit only looks for config files if the target is a directory. The relevant code is in
bandit.cli.main._get_options_from_ini.
@amacfie a use case (for me) is as follows, say I want bandit to ignore use of asserts in the tests folder. I configured .bandit to ignore that folder but this is ignored in editors like VSCode where it seems to run bandit for individual files when they are being edited. So I cannot rely on .bandit but everyone needs to configure their IDE to manually exclude the tests folder via -x tests. More configs would have to be duplicated.
I assumed this was a bug as the expected behaviour is to follow the config? IIRC other linters follow the config. Is there a use case to run bandit on files excluded on the config?
This is actually really bad for CodeFactor, because I don't think it runs Bandit on a directory. So I'm getting F's for my repository, because of 99 errors regarding usage of input() in a Python 3 program. The config file does not undo those errors because of this issue. I feel like it should always look for a config file, unless there is a very good reason not to. Thoughts?
Hi, the following may be helpful to configure bandit, for example, to avoid raising B101 assert_used warnings on python tests.
- https://github.com/PyCQA/bandit/issues/603#issuecomment-971057519
There are also some suggestion for how to configure VSCode to properly use .bandit and bandit.yml configuration files.
