Merge "Introduce bandit security linter"

This commit is contained in:
Zuul 2020-01-14 03:58:49 +00:00 committed by Gerrit Code Review
commit a03e6527b9
4 changed files with 35 additions and 0 deletions

View File

@ -9,7 +9,31 @@
jobs:
- cyborg-tempest
- cyborg-tempest-ipv6-only
- cyborg-tox-bandit:
voting: false
gate:
jobs:
- cyborg-tempest
- job:
name: cyborg-tox-bandit
parent: openstack-tox
timeout: 2400
vars:
tox_envlist: bandit
required-projects:
- openstack/requirements
irrelevant-files: &gate-irrelevant-files
- ^(test-|)requirements.txt$
- ^.*\.rst$
- ^api-ref/.*$
- ^cyborg/cmd/status\.py$
- ^cyborg/hacking/.*$
- ^cyborg/tests/functional.*$
- ^cyborg/tests/unit.*$
- ^doc/.*$
- ^etc/.*$
- ^releasenotes/.*$
- ^setup.cfg$
- ^tools/.*$
- ^tox.ini$

View File

@ -0,0 +1,7 @@
---
security:
- |
Introduce bandit check as the code security check, which can help us avoid
possible security issues. For example, shell-related operations for drivers
may be insecure. With bandit test, it can check the potential security
issues.

View File

@ -4,6 +4,7 @@
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
bandit>=1.6.0 # Apache-2.0
coverage>=3.6,!=4.4 # Apache-2.0
fixtures>=3.0.0 # Apache-2.0/BSD
mock>=2.0.0 # BSD

View File

@ -100,5 +100,8 @@ builtins = _
enable-extensions = H106,H203,H904
exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes
[testenv:bandit]
commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll
[hacking]
local-check-factory = cyborg.hacking.checks.factory