pre-commit: Integrate bandit

Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
Change-Id: I8ce1724bb1f7eab88204d350616bf59d910ea57d

.pre-commit-config.yaml

@@ -23,3 +23,8 @@ repos:
     hooks:
       - id: hacking
         additional_dependencies: []
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.6
+    hooks:
+      - id: bandit
+        args: ['-x', 'tests', '-s', 'B105']

test-requirements.txt

@@ -7,5 +7,4 @@ stestr>=2.0.0 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 testscenarios>=0.4 # Apache-2.0/BSD
 testtools>=2.2.0 # MIT
-bandit>=1.6.0,<1.7.0 # Apache-2.0
 pifpaf>=0.10.0 # Apache-2.0

tox.ini

@@ -22,18 +22,6 @@ commands =
   pre-commit run -a
   bandit -r castellan -x tests -s B105,B106,B107,B607
 
-[testenv:bandit]
-# This command runs the bandit security linter against the castellan
-# codebase minus the tests directory. Some tests are being excluded to
-# reduce the number of positives before a team inspection, and to ensure a
-# passing gate job for initial addition. The excluded tests are:
-# B105-B107: hardcoded password checks - likely to generate false positives
-#            in a gate environment
-# B607: start process with a partial path - this should be a project level
-#       decision
-commands =
-  bandit -r castellan -x tests -s B105,B106,B107,B607
-
 [testenv:venv]
 commands = {posargs}