Add a bandit environment to tox
This change is being proposed as part of the OpenStack Security Project
working session at the Austin 2016 summit. It adds support for running
the bandit[1] security linting tool against the Castellan codebase.
This change adds a targetted environment for bandit and also adds
bandit as part of the pep8 job.
The bandit configuration has been tailored to exclude tests that are
currently producing warning against the codebase. These issues will be
followed up with bug reports and patches.
At the time of submission, Castellan passes all Bandit tests configured
in tox.
[1]: https://wiki.openstack.org/wiki/Security/Projects/Bandit
Change-Id: I19368d3440ad5dc862e7d91f7890f9b1901fced3
Robert Clark
7 years ago
| 12 | 12 |
testrepository>=0.0.18 # Apache-2.0/BSD
|
| 13 | 13 |
testscenarios>=0.4 # Apache-2.0/BSD
|
| 14 | 14 |
testtools>=1.4.0 # MIT
|
|
15 |
bandit>=1.0.1 # Apache-2.0
|
| 13 | 13 |
commands = python setup.py testr --slowest --testr-args='{posargs}'
|
| 14 | 14 |
|
| 15 | 15 |
[testenv:pep8]
|
| 16 | |
commands = flake8
|
|
16 |
commands =
|
|
17 |
flake8
|
|
18 |
bandit -r castellan -x tests -s B105,B106,B107,B607
|
|
19 |
|
|
20 |
[testenv:bandit]
|
|
21 |
# This command runs the bandit security linter against the castellan
|
|
22 |
# codebase minus the tests directory. Some tests are being excluded to
|
|
23 |
# reduce the number of positives before a team inspection, and to ensure a
|
|
24 |
# passing gate job for initial addition. The excluded tests are:
|
|
25 |
# B105-B107: hardcoded password checks - likely to generate false positives
|
|
26 |
# in a gate environment
|
|
27 |
# B607: start process with a partial path - this should be a project level
|
|
28 |
# decision
|
|
29 |
commands =
|
|
30 |
bandit -r castellan -x tests -s B105,B106,B107,B607
|
| 17 | 31 |
|
| 18 | 32 |
[testenv:venv]
|
| 19 | 33 |
commands = {posargs}
|