Documentation of configuration is confusing / misleading regarding `exclude` vs `exclude_dirs`

[sirosen]

Reading the docs for the first time, I struggled to correctly formulate my desired .bandit.yaml.

The readme doc shows the use of exclude: /test , but the readthedocs site does not mention exclude or exclude_dirs. I was writing a yaml doc with

exclude: ["/tests", "_build"]

and finding that files in my various _build/ directories (a project-specific packaging process) were still being scanned.

Essential

It should be obvious that I needed to write

exclude_dirs: ["/tests", "_build"]

based on the readme.

Ideal

I'd like to see:

• the readme contains only a very simple example modern config file, i.e. yaml format (this is based on my understanding, after only a few minutes reading, that bandit is transitioning from "legacy" ini config to yaml?)
• refers explicitly to the docs site for full config documentation
• config documentation lists all available options and what they do
• example usages for the most common options with explanations, noting particular nuances -- e.g. that exclude_dirs: ["foo"] will capture foo/, bar/foo/, etc.

[diegovalenzuelaiturra]

Hi, the following may be helpful to configure bandit, for example, to avoid raising B101 assert_used warnings on python tests

• https://github.com/PyCQA/bandit/issues/603#issuecomment-971057519

[JRemitz]

I had no idea that we could use exclude_dirs. We've been incorrectly using exclude within our yaml file for ages. Just noticed given our tests in CI were taking a fairly long amount of time.