openssl_encrypt/.bandit.yaml at main · jahlives/openssl_encrypt · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# Bandit configuration for openssl_encrypt
# Security-focused static analysis for cryptographic code

# Global settings
exclude_dirs:
  - '/tests'
  - '/tools'
  - '/build'
  - '/dist'
  - '/.git'
  - '/.pytest_cache'
  - '/__pycache__'
  - '/openssl_encrypt.egg-info'
  - '/openssl_encrypt/unittests'

# Tests to skip (by test ID)
skips:
  # Skip assert usage in test files (B101)
  - B101
  # Skip hardcoded password test - we have test passwords that are intentional
  - B106

# Tests to include - focus on crypto-specific security issues
tests:
  - B102  # exec_used
  - B103  # set_bad_file_permissions
  - B104  # hardcoded_bind_all_interfaces
  - B105  # hardcoded_password_string
  - B107  # hardcoded_password_default
  - B108  # hardcoded_tmp_directory
  - B110  # try_except_pass
  - B112  # try_except_continue
  - B113  # request_without_timeout
  - B201  # flask_debug_true
  - B202  # tarfile_unsafe_members
  - B301  # pickle
  - B302  # marshal
  - B303  # md5
  - B304  # ciphers
  - B305  # cipher_modes
  - B306  # mktemp_q
  - B307  # eval
  - B308  # mark_safe
  - B310  # urllib_urlopen
  - B311  # random
  - B312  # telnetlib
  - B313  # xml_bad_cElementTree
  - B314  # xml_bad_ElementTree
  - B315  # xml_bad_expatreader
  - B316  # xml_bad_expatbuilder
  - B317  # xml_bad_sax
  - B318  # xml_bad_minidom
  - B319  # xml_bad_pulldom
  - B320  # xml_bad_etree
  - B321  # ftplib
  - B323  # unverified_context
  - B324  # hashlib_insecure_functions
  - B401  # import_telnetlib
  - B402  # import_ftplib
  - B403  # import_pickle
  - B404  # import_subprocess
  - B405  # import_xml_etree
  - B406  # import_xml_sax
  - B407  # import_xml_expat
  - B408  # import_xml_minidom
  - B409  # import_xml_pulldom
  - B410  # import_lxml
  - B411  # import_xmlrpclib
  - B412  # import_httpoxy
  - B413  # import_pycrypto
  - B501  # request_with_no_cert_validation
  - B502  # ssl_with_bad_version
  - B503  # ssl_with_bad_defaults
  - B504  # ssl_with_no_version
  - B505  # weak_cryptographic_key
  - B506  # yaml_load
  - B507  # ssh_no_host_key_verification
  - B601  # paramiko_calls
  - B602  # subprocess_popen_with_shell_equals_true
  - B603  # subprocess_without_shell_equals_true
  - B604  # any_other_function_with_shell_equals_true
  - B605  # start_process_with_a_shell
  - B606  # start_process_with_no_shell
  - B607  # start_process_with_partial_path
  - B608  # hardcoded_sql_expressions
  - B609  # linux_commands_wildcard_injection
  - B610  # django_extra_used
  - B611  # django_rawsql_used
  - B701  # jinja2_autoescape_false
  - B702  # use_of_mako_templates
  - B703  # django_mark_safe

# Severity levels
severity:
  - high
  - medium
  - low

# Confidence levels
confidence:
  - high
  - medium
  - low

# Custom patterns for cryptographic security
# Additional rules specific to our use case
custom_rules:
  - name: "weak_random"
    pattern: "random\\.random|random\\.choice"
    message: "Use secrets module for cryptographic randomness"
  - name: "hardcoded_crypto_key"
    pattern: "key\\s*=\\s*['\"][a-zA-Z0-9]{16,}['\"]"
    message: "Potential hardcoded cryptographic key detected"

# Output format for CI integration
output_format: json

# Baseline file to ignore known issues
# baseline: .bandit.baseline