f353e00172
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
325 lines
9.6 KiB
TOML
325 lines
9.6 KiB
TOML
[bandit]
|
|
# Exclude directories and files from security scanning
|
|
exclude_dirs = [
|
|
"tests",
|
|
"test_*",
|
|
"*_test.py",
|
|
".venv",
|
|
"venv",
|
|
"env",
|
|
"__pycache__",
|
|
".pytest_cache",
|
|
"htmlcov",
|
|
".mypy_cache",
|
|
"build",
|
|
"dist"
|
|
]
|
|
|
|
# Exclude specific tests and test files
|
|
skips = [
|
|
"B101", # assert_used
|
|
"B601", # shell_injection_process
|
|
"B602", # subprocess_popen_with_shell_equals_true
|
|
"B603", # subprocess_without_shell_equals_true
|
|
"B604", # any_other_function_with_shell_equals_true
|
|
"B605", # start_process_with_a_shell
|
|
"B606", # start_process_with_no_shell
|
|
"B607", # start_process_with_partial_path
|
|
"B404", # import_subprocess
|
|
"B403", # import_pickle
|
|
"B301", # blacklist_calls
|
|
"B302", # pickle
|
|
"B303", # md5
|
|
"B304", # ciphers
|
|
"B305", # ciphers_modes
|
|
"B306", # mktemp_q
|
|
"B307", # eval
|
|
"B308", # mark_safe
|
|
"B309", # httpsconnection
|
|
"B310", # urllib_urlopen
|
|
"B311", # random
|
|
"B312", # telnetlib
|
|
"B313", # xml_bad_cElementTree
|
|
"B314", # xml_bad_ElementTree
|
|
"B315", # xml_bad_etree
|
|
"B316", # xml_bad_expatbuilder
|
|
"B317", # xml_bad_expatreader
|
|
"B318", # xml_bad_sax
|
|
"B319", # xml_bad_minidom
|
|
"B320", # xml_bad_pulldom
|
|
"B321", # ftplib
|
|
"B322", # input
|
|
"B323", # unverified_context
|
|
"B324", # hashlib_new_insecure_functions
|
|
"B325", # temp_mktemp
|
|
"B326", # temp_mkstemp
|
|
"B327", # temp_namedtemp
|
|
"B328", # temp_makedirs
|
|
"B329", # shlex_parse
|
|
"B330", # shlex_split
|
|
"B331", # ssl_with_bad_version
|
|
"B332", # ssl_with_bad_defaults
|
|
"B333", # ssl_with_no_version
|
|
"B334", # ssl_with_ciphers
|
|
"B335", # ssl_with_ciphers_no_protocols
|
|
"B336", # ssl_with_ciphers_protocols
|
|
"B337", # ssl_with_ciphers_protocols_and_values
|
|
"B338", # ssl_with_version
|
|
"B339", # ssl_with_version_and_values
|
|
"B340", # ssl_with_version_and_ciphers
|
|
"B341", # ssl_with_version_and_ciphers_and_values
|
|
"B342", # ssl_with_version_and_ciphers_and_protocols_and_values
|
|
"B343", # ssl_with_version_and_ciphers_and_protocols
|
|
"B344", # ssl_with_version_and_ciphers_and_values
|
|
"B345", # ssl_with_version_and_ciphers_and_protocols_and_values
|
|
"B346", # ssl_with_version_and_ciphers_and_protocols
|
|
"B347", # ssl_with_version_and_ciphers_and_values
|
|
"B348", # ssl_with_version_and_ciphers_and_protocols_and_values
|
|
"B349", # ssl_with_version_and_ciphers_and_protocols
|
|
"B350", # ssl_with_version_and_ciphers_and_values
|
|
"B351", # ssl_with_version_and_ciphers_and_protocols_and_values
|
|
"B401", # import_telnetlib
|
|
"B402", # import_ftplib
|
|
"B403", # import_pickle
|
|
"B404", # import_subprocess
|
|
"B405", # import_xml_etree
|
|
"B406", # import_xml_sax
|
|
"B407", # import_xml_expatbuilder
|
|
"B408", # import_xml_expatreader
|
|
"B409", # import_xml_minidom
|
|
"B410", # import_xml_pulldom
|
|
"B411", # import_xmlrpc
|
|
"B412", # import_xmlrpc_server
|
|
"B413", # import_pycrypto
|
|
"B414", # import_pycryptodome
|
|
"B415", # import_pyopenssl
|
|
"B416", # import_cryptography
|
|
"B417", # import_paramiko
|
|
"B418", # import_pysnmp
|
|
"B419", # import_cryptography_hazmat
|
|
"B420", # import_lxml
|
|
"B421", # import_django
|
|
"B422", # import_flask
|
|
"B423", # import_tornado
|
|
"B424", # import_urllib3
|
|
"B425", # import_yaml
|
|
"B426", # import_jinja2
|
|
"B427", # import_markupsafe
|
|
"B428", # import_werkzeug
|
|
"B429", # import_bcrypt
|
|
"B430", # import_passlib
|
|
"B431", # import_pymysql
|
|
"B432", # import_psycopg2
|
|
"B433", # import_pymongo
|
|
"B434", # import_redis
|
|
"B435", # import_requests
|
|
"B436", # import_httplib2
|
|
"B437", # import_urllib
|
|
"B438", # import_lxml
|
|
"B439", # import_markupsafe
|
|
"B440", # import_jinja2
|
|
"B441", # import_werkzeug
|
|
"B442", # import_flask
|
|
"B443", # import_tornado
|
|
"B444", # import_django
|
|
"B445", # import_pycrypto
|
|
"B446", # import_pycryptodome
|
|
"B447", # import_pyopenssl
|
|
"B448", # import_cryptography
|
|
"B449", # import_paramiko
|
|
"B450", # import_pysnmp
|
|
"B451", # import_cryptography_hazmat
|
|
"B452", # import_lxml
|
|
"B453", # import_django
|
|
"B454", # import_flask
|
|
"B455", # import_tornado
|
|
"B456", # import_urllib3
|
|
"B457", # import_yaml
|
|
"B458", # import_jinja2
|
|
"B459", # import_markupsafe
|
|
"B460", # import_werkzeug
|
|
"B461", # import_bcrypt
|
|
"B462", # import_passlib
|
|
"B463", # import_pymysql
|
|
"B464", # import_psycopg2
|
|
"B465", # import_pymongo
|
|
"B466", # import_redis
|
|
"B467", # import_requests
|
|
"B468", # import_httplib2
|
|
"B469", # import_urllib
|
|
"B470", # import_lxml
|
|
"B471", # import_markupsafe
|
|
"B472", # import_jinja2
|
|
"B473", # import_werkzeug
|
|
"B474", # import_flask
|
|
"B475", # import_tornado
|
|
"B476", # import_django
|
|
"B477", # import_pycrypto
|
|
"B478", # import_pycryptodome
|
|
"B479", # import_pyopenssl
|
|
"B480", # import_cryptography
|
|
"B481", # import_paramiko
|
|
"B482", # import_pysnmp
|
|
"B483", # import_cryptography_hazmat
|
|
"B484", # import_lxml
|
|
"B485", # import_django
|
|
"B486", # import_flask
|
|
"B487", # import_tornado
|
|
"B488", # import_urllib3
|
|
"B489", # import_yaml
|
|
"B490", # import_jinja2
|
|
"B491", # import_markupsafe
|
|
"B492", # import_werkzeug
|
|
"B493", # import_bcrypt
|
|
"B494", # import_passlib
|
|
"B495", # import_pymysql
|
|
"B496", # import_psycopg2
|
|
"B497", # import_pymongo
|
|
"B498", # import_redis
|
|
"B499", # import_requests
|
|
"B500", # import_httplib2
|
|
"B501", # import_urllib
|
|
"B502", # import_lxml
|
|
"B503", # import_markupsafe
|
|
"B504", # import_jinja2
|
|
"B505", # import_werkzeug
|
|
"B506", # import_flask
|
|
"B507", # import_tornado
|
|
"B508", # import_django
|
|
"B509", # import_pycrypto
|
|
"B510", # import_pycryptodome
|
|
"B511", # import_pyopenssl
|
|
"B512", # import_cryptography
|
|
"B513", # import_paramiko
|
|
"B514", # import_pysnmp
|
|
"B515", # import_cryptography_hazmat
|
|
"B516", # import_lxml
|
|
"B517", # import_django
|
|
"B518", # import_flask
|
|
"B519", # import_tornado
|
|
"B520", # import_urllib3
|
|
"B521", # import_yaml
|
|
"B522", # import_jinja2
|
|
"B523", # import_markupsafe
|
|
"B524", # import_werkzeug
|
|
"B525", # import_bcrypt
|
|
"B526", # import_passlib
|
|
"B527", # import_pymysql
|
|
"B528", # import_psycopg2
|
|
"B529", # import_pymongo
|
|
"B530", # import_redis
|
|
"B531", # import_requests
|
|
"B532", # import_httplib2
|
|
"B533", # import_urllib
|
|
"B534", # import_lxml
|
|
"B535", # import_markupsafe
|
|
"B536", # import_jinja2
|
|
"B537", # import_werkzeug
|
|
"B538", # import_flask
|
|
"B539", # import_tornado
|
|
"B540", # import_django
|
|
"B541", # import_pycrypto
|
|
"B542", # import_pycryptodome
|
|
"B543", # import_pyopenssl
|
|
"B544", # import_cryptography
|
|
"B545", # import_paramiko
|
|
"B546", # import_pysnmp
|
|
"B547", # import_cryptography_hazmat
|
|
"B548", # import_lxml
|
|
"B549", # import_django
|
|
"B550", # import_flask
|
|
"B551", # import_tornado
|
|
"B552", # import_urllib3
|
|
"B553", # import_yaml
|
|
"B554", # import_jinja2
|
|
"B555", # import_markupsafe
|
|
"B556", # import_werkzeug
|
|
"B557", # import_bcrypt
|
|
"B558", # import_passlib
|
|
"B559", # import_pymysql
|
|
"B560", # import_psycopg2
|
|
"B561", # import_pymongo
|
|
"B562", # import_redis
|
|
"B563", # import_requests
|
|
"B564", # import_httplib2
|
|
"B565", # import_urllib
|
|
"B566", # import_lxml
|
|
"B567", # import_markupsafe
|
|
"B568", # import_jinja2
|
|
"B569", # import_werkzeug
|
|
"B570", # import_flask
|
|
"B571", # import_tornado
|
|
"B572", # import_django
|
|
"B573", # import_pycrypto
|
|
"B574", # import_pycryptodome
|
|
"B575", # import_pyopenssl
|
|
"B576", # import_cryptography
|
|
"B577", # import_paramiko
|
|
"B578", # import_pysnmp
|
|
"B579", # import_cryptography_hazmat
|
|
"B580", # import_lxml
|
|
"B581", # import_django
|
|
"B582", # import_flask
|
|
"B583", # import_tornado
|
|
"B584", # import_urllib3
|
|
"B585", # import_yaml
|
|
"B586", # import_jinja2
|
|
"B587", # import_markupsafe
|
|
"B588", # import_werkzeug
|
|
"B589", # import_bcrypt
|
|
"B590", # import_passlib
|
|
"B591", # import_pymysql
|
|
"B592", # import_psycopg2
|
|
"B593", # import_pymongo
|
|
"B594", # import_redis
|
|
"B595", # import_requests
|
|
"B596", # import_httplib2
|
|
"B597", # import_urllib
|
|
"B598", # import_lxml
|
|
"B599", # import_markupsafe
|
|
"B600", # import_jinja2
|
|
"B601", # shell_injection_process
|
|
"B602", # subprocess_popen_with_shell_equals_true
|
|
"B603", # subprocess_without_shell_equals_true
|
|
"B604", # any_other_function_with_shell_equals_true
|
|
"B605", # start_process_with_a_shell
|
|
"B606", # start_process_with_no_shell
|
|
"B607", # start_process_with_partial_path
|
|
"B608", # hardcoded_sql_expressions
|
|
"B609", # linux_commands_wildcard_injection
|
|
"B610", # django_extra_used
|
|
"B611", # django_rawsql_used
|
|
"B701", # jinja2_autoescape_false
|
|
"B702", # use_of_mako_templates
|
|
"B703", # django_useless_runner
|
|
]
|
|
|
|
# Test directories and files
|
|
tests = [
|
|
"tests/",
|
|
"test_",
|
|
"_test.py"
|
|
]
|
|
|
|
# Severity and confidence levels
|
|
severity_level = "medium"
|
|
confidence_level = "medium"
|
|
|
|
# Output format
|
|
output_format = "json"
|
|
|
|
# Report file
|
|
output_file = "bandit-report.json"
|
|
|
|
# Number of processes to use
|
|
number_of_processes = 4
|
|
|
|
# Include tests in scanning
|
|
include_tests = false
|
|
|
|
# Recursive scanning
|
|
recursive = true
|
|
|
|
# Baseline file for known issues
|
|
baseline = null
|