diff --git a/.zuul.yaml b/.zuul.yaml index 073630ea..ea632164 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -9,7 +9,31 @@ jobs: - cyborg-tempest - cyborg-tempest-ipv6-only + - cyborg-tox-bandit: + voting: false gate: jobs: - cyborg-tempest +- job: + name: cyborg-tox-bandit + parent: openstack-tox + timeout: 2400 + vars: + tox_envlist: bandit + required-projects: + - openstack/requirements + irrelevant-files: &gate-irrelevant-files + - ^(test-|)requirements.txt$ + - ^.*\.rst$ + - ^api-ref/.*$ + - ^cyborg/cmd/status\.py$ + - ^cyborg/hacking/.*$ + - ^cyborg/tests/functional.*$ + - ^cyborg/tests/unit.*$ + - ^doc/.*$ + - ^etc/.*$ + - ^releasenotes/.*$ + - ^setup.cfg$ + - ^tools/.*$ + - ^tox.ini$ diff --git a/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml b/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml new file mode 100644 index 00000000..1ae41c3e --- /dev/null +++ b/releasenotes/notes/introduce-bandit-security-linter-339d3f12b6200d64.yaml @@ -0,0 +1,7 @@ +--- +security: + - | + Introduce bandit check as the code security check, which can help us avoid + possible security issues. For example, shell-related operations for drivers + may be insecure. With bandit test, it can check the potential security + issues. diff --git a/test-requirements.txt b/test-requirements.txt index 2175be94..61d06529 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4,6 +4,7 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 +bandit>=1.6.0 # Apache-2.0 coverage>=3.6,!=4.4 # Apache-2.0 fixtures>=3.0.0 # Apache-2.0/BSD mock>=2.0.0 # BSD diff --git a/tox.ini b/tox.ini index 1850b2a4..c7aced56 100644 --- a/tox.ini +++ b/tox.ini @@ -100,5 +100,8 @@ builtins = _ enable-extensions = H106,H203,H904 exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build,*sqlalchemy/alembic/versions/*,demo/,releasenotes +[testenv:bandit] +commands = bandit -r cyborg -x cyborg/tests/* -n 5 -ll + [hacking] local-check-factory = cyborg.hacking.checks.factory