Background
With the bandit pre-commit hook now enabled at the standard
--severity-level=low --confidence-level=low thresholds, there are
9 existing findings in this repo that will surface the next time
somebody stages one of the affected Python files. They should be
triaged (either fixed or annotated with # nosec BXXX + reason)
before they block routine commits.
Breakdown
- High: 0
- Medium: 2
B108 insecure temp file in
plugins/module_utils/bitwarden.py:146 - review whether
tempfile.mkstemp() / mkdtemp() with proper cleanup is used,
or annotate with justificationB604 shell=True in plugins/modules/ipauser.py:1047 - review
whether the command can be a list (avoiding shell), or annotate
- Low: 7 (mostly
B603/B404 subprocess noise - these Ansible
module wrappers legitimately invoke subprocess for system management)
Acceptance criteria
bandit --severity-level=low --confidence-level=low --skip B110,B112,B311
runs clean over the repo's Python files- Every
# nosec annotation has a short comment explaining why the rule
does not apply in that context
Background
With the bandit pre-commit hook now enabled at the standard
--severity-level=low --confidence-level=lowthresholds, there are9 existing findings in this repo that will surface the next time
somebody stages one of the affected Python files. They should be
triaged (either fixed or annotated with
# nosec BXXX+ reason)before they block routine commits.
Breakdown
B108insecure temp file inplugins/module_utils/bitwarden.py:146- review whethertempfile.mkstemp()/mkdtemp()with proper cleanup is used,or annotate with justification
B604shell=Trueinplugins/modules/ipauser.py:1047- reviewwhether the command can be a list (avoiding shell), or annotate
B603/B404subprocess noise - these Ansiblemodule wrappers legitimately invoke subprocess for system management)
Acceptance criteria
bandit --severity-level=low --confidence-level=low --skip B110,B112,B311runs clean over the repo's Python files
# nosecannotation has a short comment explaining why the ruledoes not apply in that context