pre-commit: Integrate bandit

Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
Change-Id: I8ce1724bb1f7eab88204d350616bf59d910ea57d

.pre-commit-config.yaml

@@ -23,3 +23,12 @@ repos:
     hooks:
       - id: hacking
         additional_dependencies: []
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        # B105-B107: hardcoded password checks - likely to generate false
+        #            positives in a gate environment
+        # B607: start process with a partial path - this should be a project
+        #       level decision
+        args: ['-x', 'tests', '-s', 'B105,B106,B107,B607']

test-requirements.txt

@@ -7,7 +7,4 @@ stestr>=2.0.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 testscenarios>=0.4 # Apache-2.0/BSD
 testtools>=2.2.0 # MIT
-bandit>=1.6.0,<1.7.0 # Apache-2.0
 pifpaf>=0.10.0 # Apache-2.0
-
-pre-commit>=2.6.0 # MIT

tox.ini

@@ -16,21 +16,10 @@ deps =
 commands = stestr run --slowest --concurrency=1 {posargs}
 
 [testenv:pep8]
+deps =
+  pre-commit
 commands =
   pre-commit run -a
-  bandit -r castellan -x tests -s B105,B106,B107,B607
-
-[testenv:bandit]
-# This command runs the bandit security linter against the castellan
-# codebase minus the tests directory. Some tests are being excluded to
-# reduce the number of positives before a team inspection, and to ensure a
-# passing gate job for initial addition. The excluded tests are:
-# B105-B107: hardcoded password checks - likely to generate false positives
-#            in a gate environment
-# B607: start process with a partial path - this should be a project level
-#       decision
-commands =
-  bandit -r castellan -x tests -s B105,B106,B107,B607
 
 [testenv:venv]
 commands = {posargs}