Add lint with bandit in CI

Author: flashcode

.github/workflows/ci.yml

@@ -37,13 +37,16 @@ jobs:
           sudo apt-get install gettext aspell aspell-fr enchant
           python -m pip install --upgrade pip
           pip install -r requirements.txt
-          pip install flake8 pylint pytest coverage pytest-cov
+          pip install bandit coverage flake8 pylint pytest pytest-cov
 
       - name: Lint with flake8
         run: make flake8
 
       - name: Lint with pylint
         run: make pylint
 
+      - name: Lint with bandit
+        run: make bandit
+
       - name: Test with pytest
         run: make test

ChangeLog.md

@@ -4,6 +4,7 @@
 
 - Drop Python 2 support, Python 3.6 is now required.
 - Add support for Chinese full-stop.
+- Add lint with bandit in CI.
 
 ## Version 3.1 (2020-03-07)
 

Makefile

@@ -21,7 +21,7 @@ all: check
 
 check: lint test
 
-lint: flake8 pylint
+lint: flake8 pylint bandit
 
 flake8:
 	flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
@@ -31,5 +31,8 @@ pylint:
 	pylint --disable=W0511,R0205 msgcheck
 	pylint --disable=W0511,R0205 tests
 
+bandit:
+	bandit -r msgcheck
+
 test:
 	pytest -vv --cov-report term-missing --cov=msgcheck tests

msgcheck/po.py

@@ -25,7 +25,7 @@
 from codecs import escape_decode
 import os
 import re
-import subprocess
+import subprocess  # nosec
 import tempfile
 
 # enchant module is optional, spelling is checked on demand
@@ -461,7 +461,7 @@ def compile(self):
         """
         output = ''
         try:
-            output = subprocess.check_output(
+            output = subprocess.check_output(  # nosec
                 ['msgfmt', '-c', '-o', '/dev/null', self.filename],
                 stderr=subprocess.STDOUT)
         except subprocess.CalledProcessError as exc: