bandit
bandit copied to clipboard
PyCQA
INI file format is not obviously documented anywhere
The docs mention exclude flags, but where can I find a complete list of the available flags?
targets: comma separated list of target dirs/files to run bandit on
exclude: comma separated list of excluded paths
skips: comma separated list of tests to skip
tests: comma separated list of tests to run
Why did you close this issue, @darakian?
The documentation for configuring the execution of Bandit is indeed sparse.
- And why is there an
--inioption, but the docs only refer to YAML as a configuration file format? - How do I configure the targets in the ini file?
Can we reopen the issue?
You're welcome to reopen the issue, but solved my issue by using some bash to replace the include/exclude logic.
I can't reopen it. Only you and project maintainers can. Thanks in advance! :+1:
@bittner Whoops. Reopened for ya. If it helps the conversation here's the bash/git logic I ended up with
bandit -iii -lll $(git diff --name-only $(git log remotes/origin/master..HEAD --oneline | tail -1 | awk '{print $1}') HEAD) static_file.py
or in English
run bandit w/ high confidence on high severity issues on the list of files which have been changed on my local branch as compared to master plus one static file
It's a bit of a hack, but it's been solid for build system. The static file is used to prevent bandit from failing in the event that the branch has no files which differ.
Awesome hack! Yeah, it's reeeeaally a hack! The -iii and -lll looks funny. :laughing: OMG, glad it works for you in production.
I have also solved "my" problem, which was finding out how to tell the bandit to steal all options from my tox.ini file -- and what to put in the mighty [bandit] section. Looks like this:
[tox]
envlist = bandit
[testenv:bandit]
deps = bandit
commands = bandit --ini tox.ini
[bandit]
exclude = .tox,build,dist,tests
recursive = true
targets = .
... which allows me to run simply tox -e bandit.
But that was all guesswork and reading from the source code (bandit.cli and bandit.core.utils). For the recursive option, for example, I don't even see why this works. There should be really some documentation on the options developers can use in an INI file.
Looks like I overlooked the WARNING: Running Bandit with just the --ini option doesn't actually do what I want:
$ bandit --ini tox.ini
[main] INFO Using ini file for excluded paths
[main] INFO Using ini file for selected targets
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.6
[manager] WARNING Skipping directory (behave_django), use -r flag to scan contents
Run started:2019-03-21 08:48:49.567794
...
At least the recursive option is not recognized (as in: read from the configuration file), so the -r option must be provided from the command line. Which is a shame. :worried:
A successful call must look like this:
$ bandit -r --ini tox.ini
[main] INFO Using ini file for excluded paths
[main] INFO Using ini file for selected targets
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.6
Run started:2019-03-21 08:54:10.220742
...
... or with a .bandit file in the local directory:
$ bandit -r .
[main] INFO Found project level .bandit file: ./.bandit
[main] INFO Using ini file for excluded paths
[main] INFO Using command line arg for selected targets
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.6
Run started:2019-03-21 08:53:40.683285
...
Hi, the following may be helpful to configure bandit, for example, to avoid raising B101 assert_used warnings on python tests
- https://github.com/PyCQA/bandit/issues/603#issuecomment-971057519
- And why is there an
--inioption, but the docs only refer to YAML as a configuration file format?
Hey, I have the same question of @bittner. Why are there two different configuration files?
True, it might make sense to consolidate configuration settings in a single place. Whatever file format is used, users should be able to configure everything there, not one thing here and other things in a second place. The current state is confusing.
The INI file format and options are now explained in the documentation along with YAML and TOML.
We can probably close this issue now.
We can probably close this issue now.
Why closing the issue before a decision about it? There's still an undocumented INI file. It should be documented somewhere or explicitly deprecated in favor of YALM.
INI is also used by Python's setup.cfg which isn't quite replaced by pyproject.toml yet. TOML sits between INI and YAML in complexity. Bandit supports TOML and YAML via --config, but INI only works with --ini for no apparent reason.
https://github.com/PyCQA/bandit/issues/317#issuecomment-1221275052
PEP-621 obliterates the setup.py/setup.py and I very happy about it. It is true that INI files have no standard at all, they should be avoided like plague.
Based on this, I would say that the only think needed be done is to add a statement to the docs that this format is deprecated/discouraged in favour of either YAML or TOML, or both.
