Merge pull request #1833 from UlrichB22/bandit_pre

Add pre-commit for bandit security scan
moinwiki · Jan 30, 2025 · 1f01d31 · 1f01d31
2 parents efc5ccb + a36b000
commit 1f01d31
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 10 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,9 +1,15 @@
 repos:
 - repo: https://github.com/psf/black
-  rev: 24.3.0
+  rev: 24.10.0
   hooks:
   - id: black
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.3.5
+  rev: v0.9.3
   hooks:
   - id: ruff
+- repo: https://github.com/PyCQA/bandit
+  rev: 1.8.2
+  hooks:
+  - id: bandit
+    args: ["-c", "pyproject.toml"]
+    additional_dependencies: ["bandit[toml]"]
diff --git a/docs/devel/development.rst b/docs/devel/development.rst
@@ -121,26 +121,36 @@ add more tools, exercise tools
 
 install pre-commit hooks
 ------------------------
-Setup Black and Ruff pre-commit hooks::
 
-    pre-commit install  # pre-commit is used for code linting / auto-format
+Some tools will inspect your changes as part of Git commit processing.
 
-Black and Ruff will inspect your changes as part of Git commit processing. If your code
+* Black formats Python code to make it consistent and readable according to PEP 8 guidelines.
+* Ruff is a linter that detects style issues, errors and potential problems.
+* Bandit analyzes the code for possible security vulnerabilities and potential risks.
+
+Setup pre-commit hooks::
+
+    pre-commit install
+
+If your code
 change violates Black's coding standards (a changed line of code is > 120 characters) Black will
 update the file and fail the commit. Your repo will have 2 versions of the offending file:
 the staged file with your changes and an unstaged version with Black's corrections.
 
-To fix, unstage the file to merge your channges into Black's version, then restage the
+To fix, unstage the file to merge your changes into Black's version, then restage the
 file and rerun commit.
 
-If Ruff finds an error, it will create an error message and fail the commit. In this case,
-unstage the offending file, fix the error, restage the file and rerun commit.
+If Ruff or Bandit find errors, they will create error messages and cause the commit to fail. In this case,
+unstage the offending file, fix the errors, restage the file and rerun commit.
 
 Note that these same checks are made as part of GitHub push-merge processing.
 If there is an error the merge will fail. Fix the error, restage the file, and commit.
 
-Read more about Black at https://black.readthedocs.io/en/stable/index.html.
-Read more about Ruff at https://github.com/astral-sh/ruff?tab=readme-ov-file#ruff.
+Read more about
+
+* Black at https://black.readthedocs.io/en/stable/index.html
+* Ruff at https://github.com/astral-sh/ruff?tab=readme-ov-file#ruff
+* Bandit at https://bandit.readthedocs.io/en/latest/
 
 review configuration options
 ----------------------------

diff --git a/pyproject.toml b/pyproject.toml
@@ -159,6 +159,10 @@ unfixable = []
 "src/moin/config/default.py" = ["F401", "F403"]
 "src/moin/datastructures/__init__.py" = ["F401"]
 
+[tool.bandit]
+exclude_dirs = ["quickinstall.py", "*/_tests/*"]
+skips = ["B101", "B105", "B106", "B307", "B311", "B403", "B608"]
+
 [tool.tox]
 legacy_tox_ini = """
 # tox configuration - if you change anything here, run this to verify: