enable ruff with flake8-bandit rules

Enable flake8-bandit checks via the ruff checker. The flake8-bandit rules are prefixed with S instead of B like the bandit rules are but the numberical values are different. flake8-bandit provides the default config without needing it to be generated like bandit has in the ironic repo. The only exceptions to the default config in ironic is the skipping of 3 rules which is instead skipped just for tests instead of globally. The choice of ruff is intentional as other OpenStack projects are trending that way and more checks can be used in the future. Change-Id: Iec4b628a5d5425dd18b5a4fd76f61c504e3d53b0 Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
2024-11-08 22:42:47 -05:00 · 2024-11-08 22:42:47 -05:00 · 83293508d8
commit 83293508d8
parent 43fdf124f8
2 changed files with 17 additions and 0 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -54,3 +54,8 @@ repos:
    rev: v1.1.2
    hooks:
      - id: doc8
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.7.3
+    hooks:
+      - id: ruff
+        args: ['--fix', '--unsafe-fixes']
--- a/pyproject.toml
+++ b/pyproject.toml
@ -4,3 +4,15 @@ build-backend = "pbr.build"

 [tool.doc8]
 ignore = ["D001"]
+
+[tool.ruff.lint]
+select = [
+    "S",        # flake8-bandit
+]
+
+[tool.ruff.lint.per-file-ignores]
+"sushy/tests/**/*.py" = [
+    "S104",     # disable 'hardcoded_bind_all_interfaces' for tests
+    "S105",     # disable 'hardcoded_password_string' for tests
+    "S106",     # disable 'hardcoded_password_funcarg' for tests
+]