Skip to content

Add ruff S (flake8-bandit) security checks#383

Merged
blink1073 merged 1 commit intoCalysto:mainfrom
blink1073:add-ruff-security
Mar 15, 2026
Merged

Add ruff S (flake8-bandit) security checks#383
blink1073 merged 1 commit intoCalysto:mainfrom
blink1073:add-ruff-security

Conversation

@blink1073
Copy link
Copy Markdown
Contributor

@blink1073 blink1073 commented Mar 15, 2026

References

Description

Enables the S (flake8-bandit) rule set in the ruff lint configuration to surface security-relevant patterns across the codebase.

Changes

  • Added "S" to extend-select in [tool.ruff.lint]
  • Globally suppressed rules inherent to a kernel/REPL system: S102 (exec), S307 (eval), S310 (URL open), S603 (subprocess), S604 (false positive on shell= dict key), S607 (partial executable path)
  • Added S101 and S108 to tests/** per-file-ignores (asserts and temp files are normal in tests)
  • Added # noqa comments for intentional patterns in source: S110/S112 (deliberate silent exception handling), S101 (type-narrowing asserts), S103 (intentional chmod modes)

Backwards-incompatible changes

None

Testing

just pre-commit passes cleanly.

AI usage

  • Some or all of the content of this PR was generated by AI.
  • The human author has carefully reviewed this PR and run this code.
  • AI tools and models used: Claude Sonnet 4.6

@blink1073
Add ruff S (flake8-bandit) security checks
70bd931 
Enables the S rule set in ruff lint configuration. Rules inherent to a
kernel/REPL system (exec, eval, subprocess, URL open) are globally
suppressed; assert and temp-file warnings are suppressed in tests; and
remaining intentional patterns are annotated with inline noqa comments.
@blink1073 blink1073 enabled auto-merge (squash) March 15, 2026 14:47
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 15, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 89.47368% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.86%. Comparing base (eef5599) to head (70bd931).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
metakernel/_metakernel.py 0.00% 2 Missing ⚠️

❌ Your patch status has failed because the patch coverage (89.47%) is below the target coverage (95.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #383   +/-   ##
=======================================
  Coverage   90.86%   90.86%           
=======================================
  Files          51       51           
  Lines        2957     2957           
  Branches      414      414           
=======================================
  Hits         2687     2687           
  Misses        190      190           
  Partials       80       80
Files with missing lines Coverage Δ
metakernel/magic.py 95.31% <100.00%> (ø)
metakernel/magics/activity_magic.py 91.17% <100.00%> (ø)
metakernel/magics/help_magic.py 86.36% <100.00%> (ø)
metakernel/magics/macro_magic.py 100.00% <100.00%> (ø)
metakernel/magics/parallel_magic.py 98.74% <100.00%> (ø)
metakernel/magics/shell_magic.py 72.13% <100.00%> (ø)
metakernel/parser.py 95.93% <100.00%> (ø)
metakernel/process_metakernel.py 97.47% <100.00%> (ø)
metakernel/_metakernel.py 92.17% <0.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@blink1073 blink1073 disabled auto-merge March 15, 2026 14:51
@blink1073 blink1073 merged commit 936d5c1 into Calysto:main Mar 15, 2026
25 of 28 checks passed
@blink1073 blink1073 deleted the add-ruff-security branch March 15, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@blink1073