Installation · Motivations · Usage · Integrations · Bento Checks · Help & Community
Bento is a free bug-finding tool that runs locally when you commit code. It has speciality checks for common Python 3 web frameworks and OSS checks for JavaScript, TypeScript, Docker, and shell files.
- Find bugs that matter. Bento runs its own checks and OSS tools to catch actual bugs. It never reports style-related issues and its checks are chosen based on performance across the PyPI and npm ecosystems.
- Keep your workflow. Unlike other tools you won’t have to fix existing bugs to adopt Bento. It takes 30 seconds to get started and coding again.
- Go delightfully fast. Bento runs its tools in parallel, not sequentially, on the code you’ve changed. Its jobs run entirely locally when you commit your code.
$ pip3 install bento-cliBento requires Python 3.6+ and works on macOS Mojave (10.14) and Ubuntu 18.04+.
See our Bento introductory blog post to learn the full story.
r2c is on a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found Heartbleed, or Zoncolan at Facebook, which finds more top-severity security issues than any human effort. These tools find severe issues and also save tons of time, identifying hundreds of thousands of issues before humans can. Bento is a step towards universal access to tools like these.
We’re also big proponents of opinionated tools like Black and Prettier. This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See Three things your linter shouldn’t tell you for more details on our decision making process.
From the root directory of a project:
$ bento initBento is at its best when run automatically. See Integrations for details.
Run the following commands to upgrade Bento:
$ pip3 install --upgrade bento-cli
$ cd <PROJECT DIRECTORY>
$ rm -r .bento* && bento init
$ git add .bento* && git commit -m "Upgrade Bento configs"$ bento --help
Usage: bento [OPTIONS] COMMAND [ARGS]...
Options:
-h, --help Show this message and exit.
--version Show current version bento.
--base-path DIRECTORY Path to the directory containing the code, as well as
the .bento.yml file.
--agree Automatically agree to terms of service.
--email TEXT Email address to use while running this command
without global configs e.g. in CI
Commands:
archive Adds all current findings to the whitelist.
check Checks for new findings.
disable Turn OFF a tool or check.
enable Turn ON a tool or check.
init Autodetects and installs tools.
install-hook Installs Bento as a git pre-commit hook.
To get help for a specific command, run `bento COMMAND --help`
bento check may exit with the following exit codes:
0: Bento ran successfully and found no errors2: Bento ran successfully and found issues in your code3: Bento or one of its underlying tools failed to run
If you use CircleCI, add the following job:
version: 2.1
jobs:
bentoCheck:
executor: circleci/python:3.7.4-stretch-node
steps:
- checkout
- run:
name: "Install Bento"
command: pip3 install bento-cli && bento --version
- run:
name: "Run Bento check"
command: bento --agree --email <YOUR_EMAIL> checkOtherwise, you can simply install and run Bento in CI with the following commands:
$ pip3 install bento-cli && bento --version
$ bento --agree --email <YOUR_EMAIL> checkbento check will exit with a non-zero exit code if it finds issues in your code (see Exit Codes). To suppress this behaviour you can pipe its output to true:
$ bento --agree --email <YOUR_EMAIL> check || trueOtherwise, address the issues or archive them with bento archive.
If you need help setting up Bento with another CI provider please open an issue. Documentation PRs welcome if you set up Bento with a CI provider that isn't documented here!
Bento can automatically analyze your staged files when git commit is run. Configured as a Git pre-commit hook, Bento ensures every commit to your project is vetted and that no new issues have been introduced to the codebase.
To install Bento as a Git hook:
$ bento install-hookIf Git hooks ever incorrectly block your commit, you can skip them by passing the --no-verify flag at commit-time (use this sparingly):
$ git commit --no-verifyBento’s Git hook can save the round-trip time involved with fixing a failed build if you’re using Bento in CI.
Bento finds common security, correctness, and performance mistakes in projects containing Flask, Requests, and Boto 3. We’re inspired by tools that help ensure correct and safe framework use, like eslint-plugin-react. Learn more about Bento’s speciality checks at checks.bento.dev.
Need help or want to share feedback? We’d love to hear from you!
- Email us at support@r2c.dev
- Join #bento in our community Slack
- File an issue or submit a feature request directly on GitHub — we welcome them all!
We’re constantly shipping new features and improvements.
- Sign up for the Bento newsletter — we promise not to spam and you can unsubscribe at any time
- See past announcements, releases, and issues here
We’re fortunate to benefit from the contributions of the open source community and great projects such as Bandit, ESLint, Flake8, and their plugins. 🙏
Please refer to the terms and privacy document.
Copyright (c) r2c.