Skip to main content
Version: 2.24 (prerelease)

bandit


A tool for finding security issues in Python code (https://bandit.readthedocs.io).

This version of Pants uses bandit version 1.7.9 by default. Use a dedicated lockfile and the install_from_resolve option to control this.

Backend: pants.backend.python.lint.bandit

Config section: [bandit]

Basic options

args

--bandit-args="[<shell_str>, <shell_str>, ...]"
PANTS_BANDIT_ARGS
pants.toml
[bandit]
args = [
<shell_str>,
<shell_str>,
...,
]
default: []

Arguments to pass directly to Bandit, e.g. --bandit-args='--skip B101,B308 --confidence'.

skip

--[no-]bandit-skip
PANTS_BANDIT_SKIP
pants.toml
[bandit]
skip = <bool>
default: False

If true, don't use Bandit when running pants lint.

Advanced options

config

--bandit-config=<file_option>
PANTS_BANDIT_CONFIG
pants.toml
[bandit]
config = <file_option>
default: None

Path to a Bandit YAML config file (https://bandit.readthedocs.io/en/latest/config.html).

console_script

--bandit-console-script=<str>
PANTS_BANDIT_CONSOLE_SCRIPT
pants.toml
[bandit]
console_script = <str>
default: bandit

The console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.

entry_point

--bandit-entry-point=<str>
PANTS_BANDIT_ENTRY_POINT
pants.toml
[bandit]
entry_point = <str>
default: None

The entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.

install_from_resolve

--bandit-install-from-resolve=<str>
PANTS_BANDIT_INSTALL_FROM_RESOLVE
pants.toml
[bandit]
install_from_resolve = <str>
default: None

If specified, install the tool using the lockfile for this named resolve.

This resolve must be defined in [python].resolves, as described in https://www.pantsbuild.org/2.24/docs/python/overview/lockfiles#lockfiles-for-tools.

The resolve's entire lockfile will be installed, unless specific requirements are listed via the requirements option, in which case only those requirements will be installed. This is useful if you don't want to invalidate the tool's outputs when the resolve incurs changes to unrelated requirements.

If unspecified, and the lockfile option is unset, the tool will be installed using the default lockfile shipped with Pants, which uses bandit version 1.7.9.

If unspecified, and the lockfile option is set, the tool will use the custom bandit "tool lockfile" generated from the version and extra_requirements options. But note that this mechanism is deprecated.

requirements

--bandit-requirements="['<str>', '<str>', ...]"
PANTS_BANDIT_REQUIREMENTS
pants.toml
[bandit]
requirements = [
'<str>',
'<str>',
...,
]
default: []

If install_from_resolve is specified, install these requirements, at the versions provided by the specified resolve's lockfile.

Values can be pip-style requirements (e.g., tool or tool==1.2.3 or tool>=1.2.3), or addresses of python_requirement targets (or targets that generate or depend on python_requirement targets). Make sure to use the // prefix to refer to targets using their full address from the root (e.g. //3rdparty/python:tool). This is necessary to distinguish address specs from local or VCS requirements.

The lockfile will be validated against the requirements - if a lockfile doesn't provide the requirement (at a suitable version, if the requirement specifies version constraints) Pants will error.

If unspecified, install the entire lockfile.

Deprecated options

None

None