Add Bandit security scanning to CI (#100)

airbnb · Jan 10, 2018 · db857f3 · db857f3
1 parent 460d2cd
commit db857f3
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 10 deletions.
diff --git a/.bandit b/.bandit
@@ -0,0 +1,27 @@
+[bandit]
+# Skip the venv/ directory when scanning.
+exclude: venv
+
+# Skip the following tests:
+#
+# - [B303:blacklist] Use of insecure MD2, MD4, or MD5 hash function.
+#   Severity: Medium   Confidence: High
+#       We have to include MD5 file hashes for compatibility with other security tools,
+#       but we also include SHA256 hashes.
+#
+# - [B322:blacklist] On Python 2, use raw_input instead, input is safe in Python 3.
+#   Severity: High   Confidence: High
+#       The input() function is safe in Python 3.
+#
+# - [B404:blacklist] Consider possible security implications associated with subprocess module.
+#   Severity: Low   Confidence: High
+#       There are other warnings specific to subprocess calls (e.g. B603, B607)
+#
+# - [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
+#   Severity: Low   Confidence: High
+#       Subprocess is used primarily in the CLI and is safe from shell injection when shell=False.
+#
+# - [B607:start_process_with_partial_path] Starting a process with a partial executable path
+#   Severity: Low   Confidence: High
+#       For portability, we use 'terraform' and 'git' instead of the full executable filepaths.
+skips: B303,B322,B404,B603,B607
diff --git a/.pylintrc b/.pylintrc
@@ -127,7 +127,7 @@ const-rgx=(([A-Z_][A-Z0-9_]*)|(__.*__))$
 
 # Minimum line length for functions/classes that require docstrings, shorter
 # ones are exempt.
-docstring-min-length=2
+docstring-min-length=3
 
 # Naming hint for function names
 function-name-hint=(([a-z][a-z0-9_]{2,50})|(_[a-z0-9_]*))$

diff --git a/.travis.yml b/.travis.yml
@@ -8,8 +8,9 @@ install:
 script:
   - coverage run manage.py unit_test
   - coverage report  # Required coverage threshold specified in .coveragerc
-  - find . -name '*.py' -not -path './docs/source/*' -exec pylint '{}' +
+  - find . -name '*.py' -not -path './docs/source/*' -exec pylint '{}' +  # Config in .pylintrc
   - mypy . --ignore-missing-imports
+  - bandit -r .  # Configuration in .bandit
   - sphinx-build -W docs/source docs/build
 after_success:
   - coveralls
diff --git a/requirements.txt b/requirements.txt
@@ -1,18 +1,24 @@
 alabaster==0.7.10
-astroid==1.5.3
+asn1crypto==0.24.0
+astroid==1.6.0
 attrdict==2.0.0
 Babel==2.5.1
 backoff==1.4.3
-boto3==1.4.8
-botocore==1.8.9
+bandit==1.4.0
+boto3==1.5.11
+botocore==1.8.25
 cachetools==2.0.1
 cbapi==1.3.4
 certifi==2017.11.5
+cffi==1.11.2
 chardet==3.0.4
 coverage==4.4.2
 coveralls==1.2.0
+cryptography==2.1.4
 docopt==0.6.2
 docutils==0.14
+gitdb2==2.0.3
+GitPython==2.1.8
 idna==2.6
 imagesize==0.7.1
 isort==4.2.15
@@ -21,26 +27,31 @@ jmespath==0.9.3
 lazy-object-proxy==1.3.1
 MarkupSafe==1.0
 mccabe==0.6.1
-mypy==0.550
+mypy==0.560
+pbr==3.1.1
 pika==0.11.2
 ply==3.10
 prompt-toolkit==1.0.15
-protobuf==3.5.0.post1
-psutil==5.4.1
+protobuf==3.5.1
+psutil==5.4.3
+pycparser==2.18
 pyfakefs==3.3
 Pygments==2.2.0
 pyhcl==0.3.9
-pylint==1.7.4
+pylint==1.8.1
+pyOpenSSL==17.5.0
 python-dateutil==2.6.1
 pytz==2017.3
 PyYAML==3.12
 requests==2.18.4
 s3transfer==0.1.12
 six==1.11.0
+smmap2==2.0.3
 snowballstemmer==1.2.1
-Sphinx==1.6.5
+Sphinx==1.6.6
 sphinx-rtd-theme==0.2.4
 sphinxcontrib-websupport==1.0.1
+stevedore==1.28.0
 typed-ast==1.1.0
 urllib3==1.22
 wcwidth==0.1.7

diff --git a/requirements_top_level.txt b/requirements_top_level.txt
@@ -1,4 +1,5 @@
 backoff
+bandit
 boto3
 cbapi==1.3.4
 coverage