Add bandit scan to pre-commit hooks #297
Conversation
There was a problem hiding this comment.
Thank you for adding this security scanner. But we cannot enable it unless the pre-commit issues that it finds are dealt with. There are clearly false-positives when it comes to accidentally shared secrets. Here's an example bandit finding for a piece of code that I've contributed recently:
>> Issue: [B107:hardcoded_password_default] Possible hardcoded password: 'token'
Severity: Low Confidence: Medium
CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
Location: did/base.py:478:0
More Info: https://bandit.readthedocs.io/en/0.0.0/plugins/b107_hardcoded_password_default.html
477
478 def get_token(
479 config: dict,
480 token_key: str = "token",
481 token_file_key: str = "token_file") -> str:
482 """
I suggest to add exceptions or find another solution to similar findings.
sandrobonazzola
force-pushed
the
bandit-config
branch
from
be72b6d
to
c117d44
Compare
sandrobonazzola
force-pushed
the
bandit-config
branch
from
c117d44
to
792cbb7
Compare
Adding bandit scanning to pre-commit hook and addressing initially reported issues Signed-off-by: Sandro Bonazzola <sbonazzo@redhat.com> Co-authored-by: Konrad Kleine <konrad.kleine@posteo.de>
sandrobonazzola
force-pushed
the
bandit-config
branch
from
792cbb7
to
f01f2e2
Compare
There was a problem hiding this comment.
Thank you addressing my concern but it gets quite noisy and I'm completely uncertain if this is really what we want: everytime the word token is used, we turn off security by given a comment # nosec. Not only is this noise but maybe bad if there was really a security problem. I mean what happens the next token function is implemented? Do we disable security there as well? That's quite unfortunate, don't you think?
|
abandoning |
Adding Bandit scan to pre-commit hooks.
Signed-off-by: Sandro Bonazzola sbonazzo@redhat.com