Add a bandit environment to tox

This change is being proposed as part of the OpenStack Security Project working session at the Austin 2016 summit. It adds support for running the bandit[1] security linting tool against the Castellan codebase. This change adds a targetted environment for bandit and also adds bandit as part of the pep8 job. The bandit configuration has been tailored to exclude tests that are currently producing warning against the codebase. These issues will be followed up with bug reports and patches. At the time of submission, Castellan passes all Bandit tests configured in tox. [1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit Change-Id: I19368d3440ad5dc862e7d91f7890f9b1901fced3
2016-04-28 15:36:05 -05:00 · 2016-04-28 15:36:05 -05:00 · dd6ad90e01
parent 46a80444c1
commit dd6ad90e01
2 changed files with 16 additions and 1 deletions
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -13,3 +13,4 @@ oslotest>=1.10.0 # Apache-2.0
 testrepository>=0.0.18 # Apache-2.0/BSD
 testscenarios>=0.4 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
+bandit>=1.0.1 # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -14,7 +14,21 @@ deps = -r{toxinidir}/requirements.txt
 commands = python setup.py testr --slowest --testr-args='{posargs}'

 [testenv:pep8]
-commands = flake8
+commands =
+  flake8
+  bandit -r castellan -x tests -s B105,B106,B107,B607
+
+[testenv:bandit]
+# This command runs the bandit security linter against the castellan
+# codebase minus the tests directory. Some tests are being excluded to
+# reduce the number of positives before a team inspection, and to ensure a
+# passing gate job for initial addition. The excluded tests are:
+# B105-B107: hardcoded password checks - likely to generate false positives
+#            in a gate environment
+# B607: start process with a partial path - this should be a project level
+#       decision
+commands =
+  bandit -r castellan -x tests -s B105,B106,B107,B607

 [testenv:venv]
 commands = {posargs}