Bento supports user-defined checks written as a standard grep regex. To define your own checks add .bento-grep.yml
alongside your normal .bento.yml
file and add r2c.bandit:
to the tools
section of the .bento.yml
file.
When a valid .bento-grep.yml
and the check is enabled, Bento will run all regex paterns recursively over all your files not in the .bentoignore
file and report the findings under the r2c.grep
tool where you can archive, ignore, take any action just like a normal check.
patterns:
(required) - List[Pattern]
- a list of pattern objects
Each pattern is an object with these properties:
id
(required) - str
- user displayed string that identifies each pattern.
regex
(required) - str
- valid grep regex
message
(optional) - str
- message to display user. If not provided, the raw line that matched the regex will be used as the message.
file_extentions
- (optional) - List[str]
- list of glob strings. Passed directly to --include
in grep
exclude_dirs
- (optional) - List[str]
- list of source folders to exclude. Passed directly to --exclude-dir
in grep
. Prefer using .bentoignore
but for a specific folder for one Pattern this useful.
interface GrepConfig {
patterns: Patten[];
}
interface Pattern {
id: string;
regex: string;
message?: string;
file_extentions?: string[];
exclude_dirs?: string[];
}
patterns:
- id: "no-shell"
regex: "shell=True"
message: "Shell=True is scary and needs extra review"
file_extentions:
- "*.py"
- id: "no-md5"
regex: import md5
exclude_dirs:
- "src/web"