Merge "Add Bandit non-voting job"

.zuul.yaml

@@ -60,6 +60,21 @@
       tempest_test_regex: horizon
       tox_envlist: all
 
+- job:
+    # Security testing for known issues
+    name: horizon-tox-bandit-baseline
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit-baseline
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^.*\locale/.*$
+      - ^doc/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+
 - project:
     check:
       jobs:
@@ -68,6 +83,8 @@
             voting: false
         - horizon-dsvm-tempest-plugin
         - openstack-tox-lower-constraints
+        - horizon-tox-bandit-baseline:
+            voting: false
     gate:
       jobs:
         - horizon-openstack-tox-python3-django111

test-requirements.txt

@@ -9,6 +9,7 @@
 # Hacking should appear first in case something else depends on pep8
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 #
+bandit>=1.4.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 flake8-import-order==0.12 # LGPLv3

tox.ini

@@ -177,6 +177,13 @@ application-import-names = horizon,openstack_dashboard
 [hacking]
 local-check-factory = horizon.hacking.checks.factory
 
+[testenv:bandit]
+commands = bandit -r horizon openstack_auth openstack_dashboard -n5 -x tests -ll
+
+[testenv:bandit-baseline]
+envdir = {toxworkdir}/bandit
+commands = bandit-baseline -r horizon  openstack_auth openstack_dashboard -n5 -x tests -ii -ll
+
 [doc8]
 # File extensions to check
 extensions = .rst, .yaml