bandit: add bandit and bashate checks for tox

Change-Id: I01e312845c6ffb4e130ec1d0882b27aeec664a0f

tox.ini

@@ -20,17 +20,24 @@ commands = find . -type f -name "*.py[c|o]" -delete
            find . -type d -name "__pycache__" -delete
            stestr run '{posargs}'
 allowlist_externals = find
+                      bash
 
 [tox:jenkins]
 sitepackages = True
 
 [testenv:pep8]
+deps =
+  {[testenv]deps}
+  bashate>=2.1.1 # Apache-2.0
+  bandit>=1.7.5 # Apache-2.0
 commands =
   flake8
   pylint --version
   pylint --rcfile=.pylintrc --output-format=colorized {posargs:neutron_taas}
   neutron-db-manage --subproject tap-as-a-service --database-connection sqlite:// check_migration
   {[testenv:genpolicy]commands}
+  {[testenv:bashate]commands}
+  {[testenv:bandit]commands}
 
 [testenv:venv]
 commands = {posargs}
@@ -97,6 +104,26 @@ extension =
 [hacking]
 import_exceptions = neutron_taas._i18n
 
+[testenv:bandit]
+deps = {[testenv:pep8]deps}
+# B104: Possible binding to all interfaces
+# B604: any_other_function_with_shell_equals_true
+commands = bandit -r neutron -x tests -n5
+#-s B104,B604
+
+[testenv:bashate]
+deps = {[testenv:pep8]deps}
+commands = bash -c "find {toxinidir}             \
+         -not \( -type d -name .tox\* -prune \)  \
+         -not \( -type d -name .venv\* -prune \) \
+         -type f                                 \
+         -name \*.sh                             \
+# E005 file does not begin with #! or have a .sh prefix
+# E006 check for lines longer than 79 columns
+# E042 local declaration hides errors
+# E043 Arithmetic compound has inconsistent return semantics
+         -print0 | xargs -0 bashate -v -iE006 -eE005,E042,E043"
+
 [testenv:dev]
 # run locally (not in the gate) using editable mode
 # https://pip.pypa.io/en/stable/reference/pip_install/#editable-installs