How can I make bandit skip B101 within tests?

Asked 10/9, 2020 at 11:53 Answered 6/6, 2023 at 20:21

I'm using bandit to check my code for potential security issues:

bandit -r git-repository/

However, the most common item found by bandit is B101. It is triggered by assert statements within tests. I use pytest, so this is not a concern, but a good practice. I've now created a .bandit file with

[bandit]
skips: B101

But that also skips a lot of other code. Is there a solution to this issue?

Suffuse answered 10/9, 2020 at 11:53 Comment(0)

A possible solution is to tell bandit to skip tests altogether. Assuming your code lives in a src subfolder, run

bandit --configfile bandit.yaml --recursive src

with the following bandit.yaml in the project's root directory

# Do not check paths including `/tests/`:
# they use `assert`, leading to B101 false positives.
exclude_dirs:
    - '/tests/'

There is a bunch of related issues and pull requests.

Update: I like Diego's solution better.

Psilomelane answered 28/9, 2020 at 13:47 Comment(0)

Based on this comment,

when using --recursive the whole path is fnmatched against the glob_list, therefore an --exclude_dir expression test_*.py doesn't matches and excludes (py)test files in subdirectories, for that */test_*.py is needed.

The following configuration should solve your problem:

assert_used:
  skips: ["*/test_*.py", "*/test_*.py"]

Holsinger answered 16/11, 2021 at 19:53 Comment(2)

FWIW I had to update an old codebase from 1.5.1 to 1.74 to get this to work – Dioptrics 26/7, 2022 at 23:44

**/test_*.py glob can be used for deeper nested test modules. – Facelift 12/5, 2023 at 13:39

Just wanted to add to the answers above and mention the toml equivalent of skipping assert_used for specific files:

[tool.bandit.assert_used]
skips = ['*_test.py', '*/test_*.py']

Dena answered 8/9, 2022 at 12:59 Comment(0)

A possible solution is to tell bandit to skip tests altogether. Assuming your code lives in a src subfolder, run

bandit --configfile bandit.yaml --recursive src

with the following bandit.yaml in the project's root directory

# Do not check paths including `/tests/`:
# they use `assert`, leading to B101 false positives.
exclude_dirs:
    - '/tests/'

There is a bunch of related issues and pull requests.

Update: I like Diego's solution better.

Psilomelane answered 28/9, 2020 at 13:47 Comment(0)

You can configure files that skip this check. This is often useful when you use assert statements in test cases.

bandit --configfile bandit.yaml

with the following bandit.yaml in the project's root directory

assert_used:
  skips: ['*_test.py', 'test_*.py']

Link to the original doc

Lakes answered 25/3, 2021 at 7:51 Comment(0)

Based on documentation, your config should look like skips: ['B101'], not skips: B101 (which you have).

EDIT:
Ok, so if I understand correctly, you want to skip B101 on your tests folder. I am not aware of any way to specify this, but I can think of hack of a sort - just run bandit two times - once ignoring tests, and once only on tests skipping B101. I know, it's not most elegant way, but it should solve your problem.

Rations answered 18/9, 2020 at 18:58 Comment(8)

This is exactly what I have in my question where I wrote it's not what I want – Suffuse 18/9, 2020 at 19:52

skips: ['B101'] and skips: B101 are not the same thing. Are you sure you have the right thing in your config? – Lack 18/9, 2020 at 20:52

@ThrowAwayAccount Yes, I am. As stated in the question, I'm not asking for a solution to skip all B101 checks. I'm asking to skip B101 only for code in a given directory. – Suffuse 20/9, 2020 at 18:9

@MartinThoma that wasn't clear from your question, so I was answering something else. So, you want to skip B101 only in /test directory? – Rations 21/9, 2020 at 9:28

Yes, I only want to skip B101 within the tests directory. In other directories, I want to still have this. – Suffuse 21/9, 2020 at 9:37

Thanks for clarification. Edited my answer with possible solution. – Rations 21/9, 2020 at 9:41

For the hack: Can I have two different configurations for bandit? Is there something like "inheritence" for bandit configuration? – Suffuse 22/9, 2020 at 11:28

No idea about "inheritance", but you can specify your used config in your CLI bandit command. Now the rest depends on your specific usecase - I use precommit, where I can run bandit two times and specify config there each time (as file or just args). Same can be done in GitHub Actions. You can also create simple shell script with these defined bandit checks and run it instead of directly using CLI. – Rations 23/9, 2020 at 10:22

How I achieved bandit skip B101 within tests in Visual Studio Code:

in the project's root I have bandit.yaml file with the following content:

assert_used:
    skips: ["*/test_*.py"]

In the settings.json file I have:

"python.linting.banditArgs": [
    "-r",
    "--configfile",
    "${workspaceFolder}/bandit.yaml"
],

Silva answered 11/10, 2022 at 17:54 Comment(0)

I have the following in my pyproject.toml:

[tool.bandit]
exclude_dirs = [".venv", "tests"]
skips = ["B307"]

From the command line I just add -c pyproject.toml and bandit reads the configuration from there.

In VSCode:

"python.linting.banditArgs": [
    "--configfile",
    "pyproject.toml"
]

Contemporaneous answered 6/6, 2023 at 20:21 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags