bandit
bandit copied to clipboard
Documentation of configuration is confusing / misleading regarding `exclude` vs `exclude_dirs`
Reading the docs for the first time, I struggled to correctly formulate my desired .bandit.yaml
.
The readme doc shows the use of exclude: /test
, but the readthedocs site does not mention exclude
or exclude_dirs
.
I was writing a yaml doc with
exclude: ["/tests", "_build"]
and finding that files in my various _build/
directories (a project-specific packaging process) were still being scanned.
Essential
It should be obvious that I needed to write
exclude_dirs: ["/tests", "_build"]
based on the readme.
Ideal
I'd like to see:
- the readme contains only a very simple example modern config file, i.e. yaml format (this is based on my understanding, after only a few minutes reading, that bandit is transitioning from "legacy" ini config to yaml?)
- refers explicitly to the docs site for full config documentation
- config documentation lists all available options and what they do
- example usages for the most common options with explanations, noting particular nuances -- e.g. that
exclude_dirs: ["foo"]
will capturefoo/
,bar/foo/
, etc.
Hi, the following may be helpful to configure bandit
, for example, to avoid raising B101 assert_used
warnings on python tests
- https://github.com/PyCQA/bandit/issues/603#issuecomment-971057519
I had no idea that we could use exclude_dirs
. We've been incorrectly using exclude
within our yaml file for ages. Just noticed given our tests in CI were taking a fairly long amount of time.