Nick Pope

Sorry - cross-posted! As noted in my follow up, it seems pretty flawed. In fact, they're doing more like what I suggest: https://github.com/PyCQA/bandit/blob/a9eaafa53ae73c1a66172373128cb19bb7b82a32/bandit/plugins/general_hardcoded_password.py#L13-L16

For some more comprehensive information on which to help make a decision: ```python # These are the words that bandit supports: password = "" passwd = "" # pass =...

Small aside: There seems to be unnecessary escaping in the output: ``` ... bug.py:54:14: S105 Possible hardcoded password: "Please don\'t match!" ... ```

@KittyBorgX I don't believe anyone is looking into this one yet.

For a file containing just the following (which is often seen in `__init__.py`): ```python from math import * ``` ```console ❯ flake8 bug.py bug.py:1:1: F403 'from math import *' used;...

Looks like `bento.dev` no longer resolves and the Wayback Machine points to `semgrep.dev`... Anyway, rules: - [ ] [`r2c-requests-no-auth-over-http`](https://semgrep.dev/r?q=python.requests.security.no-auth-over-http.no-auth-over-http): Alerts when auth param is possibly used over http://, which could...

I guess we could do that, but that would only work as long as `ruff` never chose to output something else to stderr... It seems a little irregular. Normally stdout...

So `--format=jsonl` then? (See https://jsonlines.org/) I guess that allows for using `tee` to redirect to multiple processors then? It would work, but does just seem much more complex than a...

@charliermarsh Could you re-open this? I'm not sure why it makes sense to create a new issue when it would be exactly the same description... This issue was clearly stated...

I should follow up that, while the PR you linked to (#4950) does support writing to an output file with a flag, it doesn't do anything other than remove the...