From 4134023ab84d8a635b118d5e3ff26ade3bbe535b Mon Sep 17 00:00:00 2001 From: Sharath Kumar K Date: Thu, 7 May 2020 10:08:11 +0200 Subject: [PATCH] Tox and Zuul job for the bandit code scan in stx/stx-puppet Setting up the bandit tool for the scanning of HIGH severity issues in the python codes under Starlingx/stx-puppet folder. Expecting this merge will enable zuul job for CI/CD of bandit scan. Configuration files: 1. tox.ini for adding bandit environment and command. 2. test-requirements.txt for adding bandit version. 3. .zuul.yaml file for adding bandit job and configuring under check job to run code scan every time before code commit. Test: Run tox -e bandit command inside the fault folder to validate the bandit scan and result. Story: 2007541 Task: 39687 Depends-On: https://review.opendev.org/#/c/721294/ Change-Id: I2982268db2b5e75feeb287bc95420fedc9b0d816 Signed-off-by: Sharath Kumar K --- .zuul.yaml | 2 ++ test-requirements.txt | 1 + tox.ini | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/.zuul.yaml b/.zuul.yaml index 465306498..0bee17b47 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -1,5 +1,7 @@ --- - project: + templates: + - stx-bandit-jobs check: jobs: - stx-puppet-linters diff --git a/test-requirements.txt b/test-requirements.txt index 8ae3e22fd..3ee3d2794 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,3 +1,4 @@ # hacking pulls in flake8 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 bashate >= 0.2 +bandit!=1.6.0,>=1.1.0,<2.0.0 diff --git a/tox.ini b/tox.ini index 8b8285ca8..fc916874d 100644 --- a/tox.ini +++ b/tox.ini @@ -81,3 +81,8 @@ show-source = True ignore = E123,E125,E501,H405,W504 exclude = .venv,.git,.tox,dist,doc,*lib/python*,*egg,build,release-tag-* +[testenv:bandit] +basepython = python3 +description = Bandit code scan for *.py files under config folder +deps = -r{toxinidir}/test-requirements.txt +commands = bandit -r {toxinidir}/ -x '**/.tox/**,**/.eggs/**' -lll