Bandit Issue with Pyproject.toml

Asked 3/1, 2022 at 12:33 Answered 2/1, 2023 at 16:24

I'm trying to use pyproject.toml to exclude the venv/ directory. But it is not recognising the option.

[tool.bandit]
exclude = "/venv"

[tool.black]
exclude = "(venv)"

[tool.isort]
profile = "black"
skip = "venv"
balanced_wrapping = true
atomic = true

If I use the CLI option like so:

$ bandit -v -r . --exclude "/venv"

the directory is excluded. But if I just run bandit, it doesn't exclude the directory even though I have it in the pyproject.toml.

My bandit version is: 1.7.1.

Thankful answered 3/1, 2022 at 12:33 Comment(0)

exclude did not work for me, so I looked through official docs and found this:

We can specify dirs (and files as well) that we want to exclude in a list format

pyproject.toml:

[tool.bandit]
exclude_dirs = ["venv",]

From this documentation:

"Also you can configure bandit via pyproject.toml file. In this case you would explicitly specify the path to configuration via -c too."

Therefore, CLI option would look like this:

bandit -v -r . -c "pyproject.toml"

(will work without quotes as well)

I've never used bandit before, so if I got your question wrong - please feel free to write back, we will figure that out :D

Heterotypic answered 5/1, 2022 at 21:19 Comment(1)

There's one other detail left as a trap for the unwary: if you're using Python prior to 3.11, you need to install the toml module or use bandit[toml] to pull in the optional dependency. github.com/PyCQA/bandit/issues/318 touches on the need for an explicit -c argument. – Sievers 17/3, 2022 at 23:41

To exclude directory venv, this command works fine for me :

bandit -r . -x */venv/*

Fluvial answered 2/1, 2023 at 16:24 Comment(0)

Recommended topics

Hot tags