Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use bandit (via pantsbuild) #5777

Merged
merged 6 commits into from
Oct 17, 2022
+502 −2
Merged

Use bandit (via pantsbuild) #5777

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
06736c5
use bandit via pantsbuild
cognifloyd Oct 14, 2022
5ad28de
pants: add pex lockfile for bandit
cognifloyd Oct 14, 2022
84b9a11
mention bandit in GHA lint workflow
cognifloyd Oct 14, 2022
f2a7352
update changelog entry
cognifloyd Oct 14, 2022
d7832e6
use a .lock extension on lockfiles
cognifloyd Oct 17, 2022
f443f39
add BUILD comments about skipping git submodule contents
cognifloyd Oct 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yaml
View file
Original file line number Diff line number Diff line change
@@ -25,7 +25,7 @@ on:
jobs:
# Lint checks which don't depend on any service containes, etc. to be running.
lint-checks:
name: 'Lint Checks (pants runs: shellcheck, black, flake8)'
name: 'Lint Checks (pants runs: shellcheck, bandit, black, flake8)'
runs-on: ubuntu-latest

env:
2 changes: 1 addition & 1 deletion CHANGELOG.rst
View file
Original file line number Diff line number Diff line change
@@ -53,7 +53,7 @@ Added

* Begin introducing `pants <https://www.pantsbuild.org/docs>`_ to improve DX (Developer Experience)
working on StackStorm, improve our security posture, and improve CI reliability thanks in part
to pants' use of PEX lockfiles. This is not a user-facing addition. #5713 #5724 #5726 #5725 #5732 #5733 #5737 #5738 #5758 #5751 #5774 #5776
to pants' use of PEX lockfiles. This is not a user-facing addition. #5713 #5724 #5726 #5725 #5732 #5733 #5737 #5738 #5758 #5751 #5774 #5776 #5777
Contributed by @cognifloyd

Changed
481 changes: 481 additions & 0 deletions lockfiles/bandit.lock
View file

Large diffs are not rendered by default.

17 changes: 17 additions & 0 deletions pants.toml
View file
Original file line number Diff line number Diff line change
@@ -12,6 +12,7 @@ backend_packages = [
"pants.backend.python",
"pants.backend.experimental.python", # activates twine `publish` support
"pants.backend.python.mixed_interpreter_constraints",
"pants.backend.python.lint.bandit",
"pants.backend.python.lint.black",
"pants.backend.python.lint.flake8",

@@ -83,6 +84,22 @@ root_patterns = [
"/st2common/benchmarks/micro",
]

[bandit]
lockfile = "lockfiles/bandit.lock"
version = "bandit==1.7.0"
args = [
"-lll", # only HIGH severity level
"--exclude",
"build,dist",
"--quiet", # only show output in the case of an error
]
extra_requirements = [
"setuptools",
# bandit needs stevedore which needs importlib-metadata<5
# see: https://github.com/PyCQA/bandit/pull/952
"importlib-metadata<5;python_version<'3.8'",
]

[black]
lockfile = "lockfiles/black.lock"
version = "black==22.3.0"
2 changes: 2 additions & 0 deletions st2tests/st2tests/fixtures/packs/BUILD
View file
Original file line number Diff line number Diff line change
@@ -14,6 +14,7 @@ resources(

shell_sources(
name="test_content_version_shell",
# do not check across git submodule boundary
skip_shellcheck=True,
sources=[
"test_content_version/**/*.sh",
@@ -22,6 +23,7 @@ shell_sources(

python_sources(
name="test_content_version",
# do not fmt across git submodule boundary
skip_black=True,
Comment on lines +26 to 27
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was requested in #5774 (comment)
I missed adding it before merging, so I'm adding it here.

dependencies=[
":test_content_version_metadata",