Turn on bandit check as part of pep8

Add bandit job as part of pep8 in tox.ini

Had to ignore assert check since those are use for performance in the
validation code. Also, skipped bandit checks of monasca_common/kafka_lib
since that is just a clone of kafka-python and will be deleted in the
future

Change-Id: Ie2e726a8e45ef463c4e863792eed663ee472ed07

test-requirements.txt

@@ -2,6 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 # Hacking already pins down pep8, pyflakes and flake8
+bandit>=1.1.0  # Apache-2.0
 hacking<0.12,>=0.11.0 # Apache-2.0
 Babel>=2.3.4 # BSD
 coverage>=4.0 # Apache-2.0

tox.ini

@@ -22,11 +22,19 @@ commands =
   nosetests --with-coverage --cover-package=monasca_common/. --cover-erase
 
 [testenv:pep8]
-commands = flake8 monasca_common
+deps =
+  {[testenv]deps}
+commands =
+  {[testenv:flake8]commands}
+  {[bandit]commands}
 
 [testenv:venv]
 commands = {posargs}
 
+[testenv:flake8]
+commands =
+    flake8 monasca_common
+
 [flake8]
 max-complexity = 50
 max-line-length = 120
@@ -37,3 +45,9 @@ show-source = True
 # All of the below ignores are caused by the forked kafka-python library
 # so when monasca migrates to pykafka, the below line can be removed.
 ignore = E121,E126,E127,E128,E131,E221,E226,E241,E251,E261,E302,E303,E501,E701,F401,H101,H102,H301,H304,H306,H404,H405
+
+[bandit]
+commands =
+  # B101(assert_ussed) - Validation uses asserts because of performance reasons
+  # monasca_common/kafka_lib is a clone of kafka-python and will be deleted in the future
+  bandit -r monasca_common -n5 -s B101 -x monasca_common/tests -x monasca_common/kafka_lib