bandit
bandit copied to clipboard
PyCQA
Bandit can't read config file when run in pre-commit
Describe the bug
When running bandit as a pre-commit hooks on pre-commit.ci or locally I am getting an error that says the Bandit hook can't read the pyproject.toml file. I've also tried this with other bandit config file approaches (bandit.yaml) and received the same error message.
Specifically, I'm getting an error message that says: [main] ERROR pyproject.toml : Could not read config file.
However, when I run bandit from the command line it appears to work (e.g. bandit . -r -c pyproject.toml).
Also note that I'll cross-post this on the pre-commit repository so they are aware too.
Reproduction steps
1. Install pre-commmit using .pre-commit-config.yaml file pasted below
2. Add pyproject.toml section that looks like
[tool.bandit]
exclude_dirs = ["*/tests/*"]
3. Commit a changed Python file so the pre-commit hooks run on it
Settings in .pre-commit-config.yaml:
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.1.0
hooks:
- id: check-added-large-files
args: ['--maxkb=1000']
- id: check-ast
- id: check-case-conflict
- id: check-merge-conflict
- id: check-symlinks
- id: check-yaml
- id: check-toml
- id: debug-statements
- id: end-of-file-fixer
- id: fix-encoding-pragma
- id: requirements-txt-fixer
- id: trailing-whitespace
- id: check-docstring-first
- id: name-tests-test
args: ['--django']
- id: no-commit-to-branch
- repo: https://github.com/pycqa/isort
rev: 5.10.1
hooks:
- id: isort
name: isort
- repo: https://github.com/psf/black
rev: 22.3.0
hooks:
- id: black
language_version: python3
- repo: https://github.com/pycqa/flake8
rev: 4.0.1
hooks:
- id: flake8
exclude: docs/source/conf.py, __pycache__
additional_dependencies: [flake8-bugbear, flake8-builtins, flake8-quotes, flake8-comprehensions, pandas-vet, flake8-print, pep8-naming, doc8]
- repo: https://github.com/pycqa/pydocstyle
rev: 6.1.1
hooks:
- id: pydocstyle
additional_dependencies: ["toml"]
- repo: https://github.com/nbQA-dev/nbQA
rev: 1.3.1
hooks:
- id: nbqa-isort
args: [--nbqa-mutate, --nbqa-dont-skip-bad-cells]
additional_dependencies: [isort==5.6.4]
- id: nbqa-black
args: [--nbqa-mutate, --nbqa-dont-skip-bad-cells]
additional_dependencies: [black==20.8b1]
- id: nbqa-flake8
args: [--nbqa-dont-skip-bad-cells, "--extend-ignore=E402,E203"]
additional_dependencies: [flake8==3.8.3]
- repo: https://github.com/PyCQA/bandit
rev: 1.7.4
hooks:
- id: bandit
args: ["-c pyproject.toml"]
- repo: https://github.com/PyCQA/doc8
rev: 0.11.2
hooks:
- id: doc8
args: ["--max-line-length=88", "--config=pyproject.toml", "docs"]
additional_dependencies: ["tomli"]
Expected behavior
Bandit should be able to find its configuration files within a pre-commit environment.
Ideally you would not need to tell Bandit where to look for the config file. Instead Bandit would just look in areas (from preferred files down to less preferred ones) like many linters do.
Bandit version
1.7.4 (Default)
Python version
3.9
Additional context
No response
I was able to get part of the way there.
- repo: https://github.com/PyCQA/bandit
rev: 1.7.4
hooks:
- id: bandit
args: ["-c", "pyproject.toml"]
in my pre-commit.yaml file works and the bandit part of my pyproject.toml file looks like:
[tool.bandit]
exclude_dirs = ["tests"]
but when I run pre-commit using:
$ pre-commit run -a
I get the following output:
bandit...................................................................Failed
- hook id: bandit
- exit code: 2
[main] ERROR pyproject.toml : toml parser not available, reinstall with toml extra
[main] ERROR pyproject.toml : toml parser not available, reinstall with toml extra
I checked my venv and my standard python install (running on Ubuntu 20.04) and I get this:
$ pip install toml
Requirement already satisfied: toml in <various-locations-tried>/site-packages (0.10.2)
The problem is pre-commit is handling the installation of bandit by going to the git site and doing a pull. I cannot do pip install bandit[toml] to make this work. Even when I do this it doesn't fix the problem.
@RNKuhns Sorted it! Make this your entry to .pre-commit-config.yaml
- repo: https://github.com/PyCQA/bandit
rev: 1.7.4
hooks:
- id: bandit
args: ["-c", "pyproject.toml"]
additional_dependencies: [ "bandit[toml]" ]
Awesome! Sorry for omitting the optional dependency part. But since I had switched to trying a different confit file type, i forgot to add it back.
I had been just specifying to toml (and then tomli) in my additional dependencies as opposed to bandit[toml].
@matroscoe I confirmed this works. Maybe the bandit docs could be updated with the information?
And what about the .bandit file? It cant read the configuration from that either inside .pre-commit-config.yaml
It gives this error
[config] ERROR expected '<document start>', but found '<block mapping start>'
in ".bandit", line 3, column 1
[main] ERROR .bandit : Error parsing file.
[config] ERROR expected '<document start>', but found '<block mapping start>'
in ".bandit", line 3, column 1
[main] ERROR .bandit : Error parsing file.
for this .bandit file
[bandit]
# https://bandit.readthedocs.io/en/latest/man/bandit.html?highlight=exclude#options
exclude: /tests
@slidenerd afaik the --configfile (or -c) option only supports TOML and YAML files. If you want to use a .bandit file in INI format, you should use the --ini option instead.
@RNKuhns Sorted it! Make this your entry to
.pre-commit-config.yaml- repo: https://github.com/PyCQA/bandit rev: 1.7.4 hooks: - id: bandit args: ["-c", "pyproject.toml"] additional_dependencies: [ "bandit[toml]" ]
For me this does not work unfortunately. 😕 I get
bandit...................................................................Failed
- hook id: bandit
- exit code: 2
[main] ERROR pyproject.toml : Could not read config file.
Is there anything, I could be missing? E.g.
- Do I need to install the dependency manually?
- Could a reinstall help?
