Enable bandit for ansible-playbooks

Story: 2008929
Task: 42531

Change-Id: Ibc7ba6ec327f87775a61f96c709654b75ce78489
Signed-off-by: Chen, Haochuan Z <haochuan.z.chen@intel.com>

.zuul.yaml

@@ -3,10 +3,12 @@
       jobs:
         - openstack-tox-linters
         - openstack-tox-pep8
+        - ansible-playbooks-tox-bandit
     gate:
       jobs:
         - openstack-tox-linters
         - openstack-tox-pep8
+        - ansible-playbooks-tox-bandit
     post:
       jobs:
         - stx-ansible-playbooks-upload-git-mirror
@@ -24,6 +26,18 @@
         secret: stx-ansible-playbooks-github-secret
         pass-to-parent: true
 
+- job:
+    name: ansible-playbooks-tox-bandit
+    parent: tox
+    description: |
+      Run bandit test for ansible-playbooks
+    nodeset: ubuntu-bionic
+    files:
+      - ./*
+    vars:
+      tox_envlist: bandit
+      tox_extra_args: -c ./tox.ini
+
 - secret:
     name: stx-ansible-playbooks-github-secret
     data:

test-requirements.txt

@@ -1,4 +1,5 @@
 ansible-lint <= 4.3.7
+bandit;python_version>="3.0"
 bashate >= 0.2
 flake8 >= 2.5.4 # MIT
 PyYAML >= 3.1.0

tox.ini

@@ -61,3 +61,22 @@ exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-*
 [testenv:venv]
 basepython = python3
 commands = {posargs}
+
+[bandit]
+# The following bandit tests are being skipped:
+# B108: Test for insecure usage of tmp file/directory
+# B110: Try, Except, Pass detected.
+# B404: Import of subprocess module
+# B603: Test for use of subprocess without shell equals true
+# B607: Test for starting a process with a partial path
+# B608: Possible SQL injection vector through string-based query
+#
+# Note: 'skips' entry cannot be split across multiple lines
+#
+skips = B108,B110,B404,B603,B607,B608
+exclude = tests
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit --ini tox.ini -n 5 -r playbookconfig/src/playbooks/roles