Add Bandit non-voting job

This commit adds two new tox environments for bandit scanner. To run any
of them you can use tox commands:

1) 'tox -e bandit' to run bandit scanner against all the code
2) 'tox -e bandit-baseline' to run bandit scanner only against the last
commit or the current changes.

Bandit job uses 'bandit-baseline' tox environment to veryfy that no new
issues were introduced.

Change-Id: I1fc3bb0d5d151f215b9efc916f921fabaa72e7d8

.zuul.yaml

@@ -60,6 +60,21 @@
       tempest_test_regex: horizon
       tox_envlist: all
 
+- job:
+    # Security testing for known issues
+    name: horizon-tox-bandit-baseline
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit-baseline
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^.*\locale/.*$
+      - ^doc/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+
 - project:
     check:
       jobs:
@@ -68,6 +83,8 @@
             voting: false
         - horizon-dsvm-tempest-plugin
         - openstack-tox-lower-constraints
+        - horizon-tox-bandit-baseline:
+            voting: false
     gate:
       jobs:
         - horizon-openstack-tox-python3-django111

test-requirements.txt

@@ -9,6 +9,7 @@
 # Hacking should appear first in case something else depends on pep8
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 #
+bandit>=1.4.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 flake8-import-order==0.12 # LGPLv3

tox.ini

@@ -176,6 +176,13 @@ application-import-names = horizon,openstack_dashboard
 [hacking]
 local-check-factory = horizon.hacking.checks.factory
 
+[testenv:bandit]
+commands = bandit -r horizon openstack_auth openstack_dashboard -n5 -x tests -ll
+
+[testenv:bandit-baseline]
+envdir = {toxworkdir}/bandit
+commands = bandit-baseline -r horizon  openstack_auth openstack_dashboard -n5 -x tests -ii -ll
+
 [doc8]
 # File extensions to check
 extensions = .rst, .yaml