From a36b00052f291bd5566270a316b6362e75c12c7f Mon Sep 17 00:00:00 2001 From: UlrichB22 <97119703+UlrichB22@users.noreply.github.com> Date: Mon, 27 Jan 2025 23:09:09 +0100 Subject: [PATCH] Add pre-commit for bandit security scan --- .pre-commit-config.yaml | 10 ++++++++-- docs/devel/development.rst | 26 ++++++++++++++++++-------- pyproject.toml | 4 ++++ 3 files changed, 30 insertions(+), 10 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c98bcbea8..a6271dd0f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,9 +1,15 @@ repos: - repo: https://github.com/psf/black - rev: 24.3.0 + rev: 24.10.0 hooks: - id: black - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.3.5 + rev: v0.9.3 hooks: - id: ruff +- repo: https://github.com/PyCQA/bandit + rev: 1.8.2 + hooks: + - id: bandit + args: ["-c", "pyproject.toml"] + additional_dependencies: ["bandit[toml]"] diff --git a/docs/devel/development.rst b/docs/devel/development.rst index 653838a90..9ac68ecdb 100644 --- a/docs/devel/development.rst +++ b/docs/devel/development.rst @@ -121,26 +121,36 @@ add more tools, exercise tools install pre-commit hooks ------------------------ -Setup Black and Ruff pre-commit hooks:: - pre-commit install # pre-commit is used for code linting / auto-format +Some tools will inspect your changes as part of Git commit processing. -Black and Ruff will inspect your changes as part of Git commit processing. If your code +* Black formats Python code to make it consistent and readable according to PEP 8 guidelines. +* Ruff is a linter that detects style issues, errors and potential problems. +* Bandit analyzes the code for possible security vulnerabilities and potential risks. + +Setup pre-commit hooks:: + + pre-commit install + +If your code change violates Black's coding standards (a changed line of code is > 120 characters) Black will update the file and fail the commit. Your repo will have 2 versions of the offending file: the staged file with your changes and an unstaged version with Black's corrections. -To fix, unstage the file to merge your channges into Black's version, then restage the +To fix, unstage the file to merge your changes into Black's version, then restage the file and rerun commit. -If Ruff finds an error, it will create an error message and fail the commit. In this case, -unstage the offending file, fix the error, restage the file and rerun commit. +If Ruff or Bandit find errors, they will create error messages and cause the commit to fail. In this case, +unstage the offending file, fix the errors, restage the file and rerun commit. Note that these same checks are made as part of GitHub push-merge processing. If there is an error the merge will fail. Fix the error, restage the file, and commit. -Read more about Black at https://black.readthedocs.io/en/stable/index.html. -Read more about Ruff at https://github.com/astral-sh/ruff?tab=readme-ov-file#ruff. +Read more about + +* Black at https://black.readthedocs.io/en/stable/index.html +* Ruff at https://github.com/astral-sh/ruff?tab=readme-ov-file#ruff +* Bandit at https://bandit.readthedocs.io/en/latest/ review configuration options ---------------------------- diff --git a/pyproject.toml b/pyproject.toml index db5599f38..906a9ce23 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -159,6 +159,10 @@ unfixable = [] "src/moin/config/default.py" = ["F401", "F403"] "src/moin/datastructures/__init__.py" = ["F401"] +[tool.bandit] +exclude_dirs = ["quickinstall.py", "*/_tests/*"] +skips = ["B101", "B105", "B106", "B307", "B311", "B403", "B608"] + [tool.tox] legacy_tox_ini = """ # tox configuration - if you change anything here, run this to verify: