Merge "Introduce bandit security linter"

.zuul.yaml

@@ -9,7 +9,31 @@
       jobs:
         - cyborg-tempest
         - cyborg-tempest-ipv6-only
+        - cyborg-tox-bandit:
+            voting: false
     gate:
       jobs:
         - cyborg-tempest
 
+- job:
+    name: cyborg-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    required-projects:
+      - openstack/requirements
+    irrelevant-files: &gate-irrelevant-files
+      - ^(test-|)requirements.txt$
+      - ^.*\.rst$
+      - ^api-ref/.*$
+      - ^cyborg/cmd/status\.py$
+      - ^cyborg/hacking/.*$
+      - ^cyborg/tests/functional.*$
+      - ^cyborg/tests/unit.*$
+      - ^doc/.*$
+      - ^etc/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+      - ^tox.ini$

releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml

@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Introduce bandit check as the code security check, which can help us avoid 
+    possible security issues. For example, shell-related operations for drivers
+    may be insecure. With bandit test, it can check the potential security
+    issues.

test-requirements.txt

@@ -4,6 +4,7 @@
 
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 
+bandit>=1.6.0 # Apache-2.0
 coverage>=3.6,!=4.4 # Apache-2.0
 fixtures>=3.0.0 # Apache-2.0/BSD
 mock>=2.0.0 # BSD

tox.ini

@@ -100,5 +100,8 @@ builtins = _
 enable-extensions = H106,H203,H904
 exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes
 
+[testenv:bandit]
+commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll
+
 [hacking]
 local-check-factory = cyborg.hacking.checks.factory