-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.bandit.yaml
More file actions
137 lines (127 loc) · 4.67 KB
/
.bandit.yaml
File metadata and controls
137 lines (127 loc) · 4.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# =============================================================================
# Bandit Configuration
# =============================================================================
#
# Python security linter for finding common security issues.
# Documentation: https://bandit.readthedocs.io/
#
# This file is portable - copy to other repos without modification.
#
# -----------------------------------------------------------------------------
# Usage
# -----------------------------------------------------------------------------
#
# Scan source directory:
# bandit -r src/ -c .bandit.yaml
#
# Scan with verbose output:
# bandit -r src/ -c .bandit.yaml -v
#
# Generate report (JSON):
# bandit -r src/ -c .bandit.yaml -f json -o bandit-report.json
#
# List all available tests:
# bandit --list
#
# -----------------------------------------------------------------------------
# Severity Levels
# -----------------------------------------------------------------------------
#
# LOW: Informational, low impact
# MEDIUM: Possible security issue, should investigate
# HIGH: Likely security vulnerability, requires attention
#
# -----------------------------------------------------------------------------
# Confidence Levels
# -----------------------------------------------------------------------------
#
# LOW: Uncertain detection, may be false positive
# MEDIUM: Likely correct, review recommended
# HIGH: Very likely a real issue
#
# =============================================================================
# =============================================================================
# Excluded Directories
# =============================================================================
#
# Directories to skip during scanning.
# Typically excludes tests, dependencies, and development artifacts.
#
# -----------------------------------------------------------------------------
exclude_dirs:
# Test directories (assertions and test data are expected)
- tst
- tests
# Development scratch directories
- bup
- wip
- tmp
# Django migrations (auto-generated, not security-relevant)
- migrations
# Dependencies (scanned separately or not our code)
- node_modules
- .venv
- venv
# =============================================================================
# Skipped Tests
# =============================================================================
#
# Test IDs to skip globally. Use sparingly - prefer inline # nosec comments
# for specific false positives.
#
# Test ID Reference: https://bandit.readthedocs.io/en/latest/plugins/
#
# Format: B### where ### is the test number
#
# Common categories:
# B1xx: Miscellaneous tests
# B2xx: Application/framework-specific
# B3xx: Blacklists (dangerous function calls)
# B4xx: Cryptographic issues
# B5xx: Shell injection risks
# B6xx: SSH/XML issues
# B7xx: Django/Flask-specific
#
# -----------------------------------------------------------------------------
skips:
# -------------------------------------------------------------------------
# B101: assert_used
# -------------------------------------------------------------------------
# Using assert statements for validation.
# Asserts are stripped in optimized bytecode (python -O), but we use them
# intentionally in tests and for internal invariant checks.
# Skip: Tests use assert; non-test asserts should use proper validation.
- B101
# -------------------------------------------------------------------------
# B311: random
# -------------------------------------------------------------------------
# Using pseudo-random generators (random module).
# The random module is NOT cryptographically secure, but is fine for:
# - Test data generation
# - UI shuffling
# - Non-security randomness
# Skip: We don't use random for security-sensitive operations.
- B311
# -------------------------------------------------------------------------
# B601: paramiko_calls
# -------------------------------------------------------------------------
# Paramiko SSH library usage.
# Skip: This project doesn't use Paramiko.
- B601
# =============================================================================
# Per-File Ignores (Alternative to skips)
# =============================================================================
#
# Instead of global skips, you can use inline comments:
#
# # nosec B101
# assert user.is_authenticated
#
# result = random.choice(items) # nosec B311 - not security-sensitive
#
# Or configure per-file in pyproject.toml:
#
# [tool.bandit.assert_used]
# skips = ["**/test_*.py", "**/conftest.py"]
#
# =============================================================================