bandit
A tool for finding security issues in Python code (https://bandit.readthedocs.io).
Backend: pants.backend.python.lint.bandit
Config section: [bandit]
Basic options
args
--bandit-args="[<shell_str>, <shell_str>, ...]"
PANTS_BANDIT_ARGS
[bandit]
args = [
<shell_str>,
<shell_str>,
...,
]
[]
Arguments to pass directly to Bandit, e.g. --bandit-args='--skip B101,B308 --confidence'
.
export
--[no-]bandit-export
PANTS_BANDIT_EXPORT
[bandit]
export = <bool>
True
If true, export a virtual environment with Bandit when running /home/josh/work/scie-pants/dist/pants export
.
This can be useful, for example, with IDE integrations to point your editor to the tool's binary.
skip
--[no-]bandit-skip
PANTS_BANDIT_SKIP
[bandit]
skip = <bool>
False
If true, don't use Bandit when running /home/josh/work/scie-pants/dist/pants lint
.
Advanced options
config
--bandit-config=<file_option>
PANTS_BANDIT_CONFIG
[bandit]
config = <file_option>
None
Path to a Bandit YAML config file (https://bandit.readthedocs.io/en/latest/config.html).
console_script
--bandit-console-script=<str>
PANTS_BANDIT_CONSOLE_SCRIPT
[bandit]
console_script = <str>
bandit
The console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.
entry_point
--bandit-entry-point=<str>
PANTS_BANDIT_ENTRY_POINT
[bandit]
entry_point = <str>
None
The entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.
extra_requirements
--bandit-extra-requirements="['<str>', '<str>', ...]"
PANTS_BANDIT_EXTRA_REQUIREMENTS
[bandit]
extra_requirements = [
'<str>',
'<str>',
...,
]
[ "setuptools", "GitPython==3.1.18" ]
Any additional requirement strings to use with the tool. This is useful if the tool allows you to install plugins or if you need to constrain a dependency to a certain version.
lockfile
--bandit-lockfile=<str>
PANTS_BANDIT_LOCKFILE
[bandit]
lockfile = <str>
<default>
Path to a lockfile used for installing the tool.
Set to the string <default>
to use a lockfile provided by Pants, so long as you have not changed the --version
and --extra-requirements
options, and the tool's interpreter constraints are compatible with the default. Pants will error or warn if the lockfile is not compatible (controlled by [python].invalid_lockfile_behavior
). See https://github.com/pantsbuild/pants/blob/release_2.14.2/src/python/pants/backend/python/lint/bandit/bandit.lock for the default lockfile contents.
Set to the string <none>
to opt out of using a lockfile. We do not recommend this, though, as lockfiles are essential for reproducible builds and supply-chain security.
To use a custom lockfile, set this option to a file path relative to the build root, then run /home/josh/work/scie-pants/dist/pants generate-lockfiles --resolve=bandit
.
Alternatively, you can set this option to the path to a custom lockfile using pip's requirements.txt-style, ideally with --hash
. Set [python].invalid_lockfile_behavior = 'ignore'
so that Pants does not complain about missing lockfile headers.
version
--bandit-version=<str>
PANTS_BANDIT_VERSION
[bandit]
version = <str>
bandit>=1.7.0,<1.8
Requirement string for the tool.
Deprecated options
None
Related subsystems
None