Tox and Zuul job for the bandit code scan in stx/gui

Setting up the bandit tool for the scanning of HIGH severity issues in the python codes under Starlingx/gui folder. Expecting this merge will enable zuul job for CI/CD of bandit scan. Configuration files: 1. tox.ini for adding bandit environment and command. 2. test-requirements.txt for adding bandit version. 3. .zuul.yaml file for adding bandit job and configuring under check job to run code scan every time before code commit. Test: Run tox -e bandit command inside the fault folder to validate the bandit scan and result. Story: 2007541 Task: 39683 Depends-On: https://review.opendev.org/#/c/721294/ Change-Id: I155c9f894f8b1d701f2c75e3e892e6b83a35b11e Signed-off-by: Sharath Kumar K <sharath.kumar@intel.com>
2020-05-07 08:59:08 +02:00 · 2020-05-07 08:59:08 +02:00 · 170ac040d2
parent 593d0f82ba
commit 170ac040d2
3 changed files with 8 additions and 0 deletions
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -3,6 +3,7 @@
    templates:
      - publish-stx-docs
      - stx-release-notes-jobs
+      - stx-bandit-jobs
    check:
      jobs:
        - openstack-tox-pep8
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -26,3 +26,4 @@ testtools>=1.4.0 # MIT
 # This also needs xvfb library installed on your OS
 xvfbwrapper>=0.1.3 #license: MIT
 pyOpenSSL>=0.14
+bandit!=1.6.0,>=1.1.0,<2.0.0
--- a/tox.ini
+++ b/tox.ini
@ -98,3 +98,9 @@ basepython = python3
 envdir = {toxworkdir}/releasenotes
 deps = -r{toxinidir}/doc/requirements.txt
 commands = reno new {posargs}
+
+[testenv:bandit]
+basepython = python3
+description = Bandit code scan for *.py files under config folder
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r {toxinidir}/ -x '**/.tox/**,**/.eggs/**' -lll