Merge "Incorporate bandit support in CI"

lower-constraints.txt

@@ -3,6 +3,7 @@ alembic==0.8.10
 appdirs==1.4.3
 automaton==1.9.0
 Babel==2.3.4
+bandit==1.1.0
 certifi==2018.1.18
 chardet==3.0.4
 click==6.7

test-requirements.txt

@@ -1,6 +1,7 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
+bandit!=1.6.0,>=1.1.0,<2.0.0 # Apache-2.0
 coverage!=4.4,>=4.0 # Apache-2.0
 doc8>=0.6.0 # Apache-2.0
 flake8-import-order>=0.13 # LGPLv3

tox.ini

@@ -101,3 +101,8 @@ deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt
   -r{toxinidir}/requirements.txt
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r ironic_inspector -x test -n 5 -ll

zuul.d/ironic-inspector-jobs.yaml

@@ -63,3 +63,24 @@
         IRONIC_INSPECTOR_RAMDISK_ELEMENT: ironic-agent
         IRONIC_INSPECTOR_DHCP_FILTER: dnsmasq
         IRONIC_INSPECTOR_INTROSPECTION_DATA_STORE: database
+
+- job:
+    # Security testing for known issues
+    name: ironic-inspector-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    required-projects:
+      - openstack/ironic-inspector
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^api-ref/.*$
+      - ^doc/.*$
+      - ^ironic_inspector/test/(?!.*tempest).*$
+      - ^ironic_inspector/locale/.*$
+      - ^releasenotes/.*$
+      - ^tools/.*$
+      - ^test-requirements.txt$
+      - ^setup.cfg$
+      - ^tox.ini$

zuul.d/project.yaml

@@ -16,6 +16,8 @@
         - openstack-tox-functional
         - openstack-tox-functional-py36
         - bifrost-integration-tinyipa-ubuntu-xenial
+        - ironic-inspector-tox-bandit:
+            voting: false
     gate:
       queue: ironic
       jobs: