feat: more ruff rules and bandit

pstorozenko · pstorozenko · commit 4e478f154f73 · 2024-03-14T13:36:44.000+01:00
More ruff rules added and bandit added
Modified GH action to run bandit
diff --git a/.github/workflows/pyshiny-tests.yaml b/.github/workflows/pyshiny-tests.yaml
@@ -1,19 +1,18 @@
-name: 'Test App E2E'
-on: # rebuild any PRs and main branch changes
+name: 'Test PyShiny App'
+on:
   pull_request:
   push:
     branches:
       - main
 
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
     steps:
-
       - name: Checkout (GitHub)
         uses: actions/checkout@v3
 
       - name: Build and run dev container tests
         uses: devcontainers/ci@v0.3
         with:
-          runCmd: poetry run pytest
+          runCmd: ./run_tests_and_bandit.sh
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -31,6 +31,7 @@ playwright = "^1.42.0"
 pytest-playwright = "^0.4.4"
 requests = "^2.31.0"
 tenacity = "^8.2.3"
+bandit = "^1.7.8"
 
 [build-system]
 requires = ["poetry-core"]
diff --git a/ruff.toml b/ruff.toml
@@ -2,6 +2,32 @@ target-version = "py310"
 line-length = 120
 
 [lint]
-select = ["B", "E", "F", "I", "ISC", "NPY", "PT", "PTH", "RUF", "UP"]
-unfixable = ["B"]
-ignore = ["ISC001"]
+select = [
+  "I",   # isort: Import sorting
+  "S",   # flake8-bandit: Security checks from Bandit
+  "B",   # flake8-bugbear: Finds likely bugs and design problems in your program
+  "PT",  # flake8-pytest-style: PyTest style checks
+  "DTZ", # flake8-datetimez: Checks for correct datetime usage
+  "ISC", # flake8-implicit-str-concat: Checks for implicitly concatenated strings in a list
+  "RET", # flake8-return: Checks return values
+  "PTH", # flake8-use-pathlib: Encourages the use of pathlib over os.path
+  "N",   # pep8-naming: Naming convention checks
+  "E",   # pycodestyle errors: Checks against PEP 8 errors
+  "F",   # Pyflakes: Checks for various errors
+  "UP",  # pyupgrade: Checks for older syntax versions and suggests upgrades
+  "NPY", # NumPy-specific rules
+  "PD",  # pandas-vet: Checks for pandas best practices and potential errors
+  "RUF", # Ruff-specific rules: Rules specific to Ruff
+]
+unfixable = [
+  "B", # Marking flake8-bugbear as unfixable, indicating that these warnings should be manually reviewed
+]
+ignore = [
+  "ISC001" # ruff recommends disabling the rule
+]
+
+[lint.per-file-ignores]
+"tests/*" = [
+  "S101", # Security check: assert statements
+  "S311", # Security check: random
+]
diff --git a/run_tests_and_bandit.sh b/run_tests_and_bandit.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# This script is for Github Action purposes.
+# You cannot run multiple commands with runCmd in devcontainers/ci@v0.3 action
+# Hence, this script is created to run the tests and bandit.
+
+set -e # Exit immediately if a command exits with a non-zero status.
+
+echo "Running pytest..."
+poetry run pytest
+
+echo "Running Bandit..."
+poetry run bandit -r pyshiny_template
diff --git a/tests/playwirght/conftest.py b/tests/playwirght/conftest.py
@@ -12,7 +12,7 @@
 
 @retry(wait=wait_fixed(0.5), stop=stop_after_delay(10))
 def wait_for_server_to_start(url):
-    response = requests.get(url)
+    response = requests.get(url)  # noqa: S113
     response.raise_for_status()  # Will raise an exception if the request is unsuccessful, i.e. server is not ready
 
 
