starlingx
/
stx-puppet
Code Issues Proposed changes

Tox and Zuul job for the bandit code scan in stx/stx-puppet 

Setting up the bandit tool for the scanning of HIGH severity issues
in the python codes under Starlingx/stx-puppet folder.
Expecting this merge will enable zuul job for CI/CD of bandit scan.

Configuration files:
1. tox.ini for adding bandit environment and command.
2. test-requirements.txt for adding bandit version.
3. .zuul.yaml file for adding bandit job and configuring under
   check job to run code scan every time before code commit.

Test:
Run tox -e bandit command inside the fault folder to validate the
bandit scan and result.

Story: 2007541
Task: 39687
Depends-On: https://review.opendev.org/#/c/721294/

Change-Id: I2982268db2b5e75feeb287bc95420fedc9b0d816
Signed-off-by: Sharath Kumar K <sharath.kumar@intel.com>
This commit is contained in:
Sharath Kumar K 2020-05-07 10:08:11 +02:00
parent d57eb27dc5
commit 4134023ab8
3 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.zuul.yaml
View File

@ -1,5 +1,7 @@
--- ---
- project: - project:
templates:
- stx-bandit-jobs
check: check:
jobs: jobs:
- stx-puppet-linters - stx-puppet-linters

1
test-requirements.txt
View File

@ -1,3 +1,4 @@
# hacking pulls in flake8 # hacking pulls in flake8
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
bashate >= 0.2 bashate >= 0.2
bandit!=1.6.0,>=1.1.0,<2.0.0

5
tox.ini
View File

@ -81,3 +81,8 @@ show-source = True
ignore = E123,E125,E501,H405,W504 ignore = E123,E125,E501,H405,W504
exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-* exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-*
[testenv:bandit]
basepython = python3
description = Bandit code scan for *.py files under config folder
deps = -r{toxinidir}/test-requirements.txt
commands = bandit -r {toxinidir}/ -x '**/.tox/**,**/.eggs/**' -lll