msherry
feat(bandit): Use .bandit, if it exists
I've been modifying my .emacs.d copy of this file for a while now, I think some of it could be useful.
Thanks for the pull request! I was looking at the bandit command line options, and it looks like it accepts -c for CONFIG_FILE, and --ini for INI_PATH. I'm less familiar with bandit configuration -- does it make sense for the INI file to be the one found by a config file option? Do you know how the different files are commonly used?
Bandit's configuration setup is a...notorious subject. I don't blame you for struggling to understand the differences here. I find myself solving the same problems every time I set up bandit in a fresh project.
Fortunately, at least pycheckers sidesteps some of the worse parts by applying a check on a per-file basis, as "recursive" checks for modules in particular are tricky.
I would recommend keeping it the way it is because it aligns with the dedicated mypy.ini and.pylintrc files, for .bandit. Otherwise you start to get into tox territory, and that's probably more trouble than it's worth compared to what's here today.
Here's my "standard" .bandit file.
I was going to make an issue for "pre-baking" common sense defaults into pycheckers if configs were not found, but decided against it. Maybe that could be something I could open an issue on later?
This issue in particular does a good job highlighting the difference between -c (yaml) configs and --ini style configs.
The other tools in pycheckers are driven by ini file style configuration, so I say go with that. It's your call. Both should work fine.