|
1 | | -[bandit] |
2 | | -# 🔒 Configuración de Bandit Security Scanner para NeuroBank FastAPI Toolkit |
3 | | -# Versión optimizada para aplicaciones bancarias con alta seguridad |
4 | | - |
5 | | -# Excluir directorios que no requieren scanning |
6 | | -exclude_dirs = [ |
7 | | - "/tests", # Tests pueden usar asserts y mocks |
8 | | - "/app/tests", # Tests específicos de la app |
9 | | - ".venv", # Entorno virtual |
10 | | - "venv", # Alternativa de entorno virtual |
11 | | - "__pycache__", # Cache de Python |
12 | | - ".pytest_cache", # Cache de pytest |
13 | | - "node_modules", # Si hay dependencias JS |
14 | | - ".git" # Control de versiones |
15 | | -] |
16 | | - |
17 | | -# Saltar tests específicos que son false positives o necesarios |
18 | | -skips = [ |
19 | | - "B101", # assert_used - Los asserts son normales en tests |
20 | | - "B601", # paramiko_calls - No usamos paramiko |
21 | | - "B602", # subprocess_popen_with_shell_equals_true - Controlado |
22 | | - "B603", # subprocess_without_shell_equals_true - Permitido si es necesario |
23 | | - "B607", # start_process_with_partial_path - Paths relativos OK en algunos casos |
24 | | -] |
25 | | - |
26 | | -# Nivel de confianza mínimo para reportar (HIGH para production banking) |
27 | | -confidence = "MEDIUM" |
28 | | - |
29 | | -# Nivel de severidad (LOW, MEDIUM, HIGH) |
30 | | -severity = "LOW" |
31 | | - |
32 | | -# Formato de salida (txt, json, csv, xml) |
33 | | -format = "json" |
34 | | - |
35 | | -# Incluir archivos específicos si es necesario |
36 | | -# include = ["*.py"] |
37 | | - |
38 | | -# Configurar plugins específicos (opcional) |
39 | | -# plugins = ["B301", "B302"] |
40 | | - |
41 | | -# Número máximo de líneas de código por función antes de warning |
42 | | -max_lines_per_function = 100 |
43 | | - |
44 | | -# Tests adicionales específicos para aplicaciones bancarias |
45 | | -tests = [ |
46 | | - "B102", # exec_used |
47 | | - "B103", # set_bad_file_permissions |
48 | | - "B104", # hardcoded_bind_all_interfaces |
49 | | - "B105", # hardcoded_password_string |
50 | | - "B106", # hardcoded_password_funcarg |
51 | | - "B107", # hardcoded_password_default |
52 | | - "B108", # hardcoded_tmp_directory |
53 | | - "B110", # try_except_pass |
54 | | - "B112", # try_except_continue |
55 | | - "B201", # flask_debug_true |
56 | | - "B301", # pickle |
57 | | - "B302", # pickle_loads |
58 | | - "B303", # md5 |
59 | | - "B304", # md5_insecure |
60 | | - "B305", # cipher |
61 | | - "B306", # mktemp_q |
62 | | - "B307", # eval |
63 | | - "B308", # mark_safe |
64 | | - "B309", # httpsconnection |
65 | | - "B310", # urllib_urlopen |
66 | | - "B311", # random |
67 | | - "B312", # telnetlib |
68 | | - "B313", # xml_bad_cElementTree |
69 | | - "B314", # xml_bad_ElementTree |
70 | | - "B315", # xml_bad_expatreader |
71 | | - "B316", # xml_bad_expatbuilder |
72 | | - "B317", # xml_bad_sax |
73 | | - "B318", # xml_bad_minidom |
74 | | - "B319", # xml_bad_pulldom |
75 | | - "B320", # xml_bad_etree |
76 | | - "B321", # ftplib |
77 | | - "B322", # input |
78 | | - "B323", # unverified_context |
79 | | - "B324", # hashlib_insecure_functions |
80 | | - "B325", # tempnam |
81 | | - "B401", # import_telnetlib |
82 | | - "B402", # import_ftplib |
83 | | - "B403", # import_pickle |
84 | | - "B404", # import_subprocess |
85 | | - "B405", # import_xml_etree |
86 | | - "B406", # import_xml_sax |
87 | | - "B407", # import_xml_expat |
88 | | - "B408", # import_xml_minidom |
89 | | - "B409", # import_xml_pulldom |
90 | | - "B410", # import_lxml |
91 | | - "B411", # import_xmlrpclib |
92 | | - "B412", # import_httpoxy |
93 | | - "B413", # import_pycrypto |
94 | | - "B501", # request_with_no_cert_validation |
95 | | - "B502", # ssl_with_bad_version |
96 | | - "B503", # ssl_with_bad_defaults |
97 | | - "B504", # ssl_with_no_version |
98 | | - "B505", # weak_cryptographic_key |
99 | | - "B506", # yaml_load |
100 | | - "B507", # ssh_no_host_key_verification |
101 | | - "B601", # paramiko_calls |
102 | | - "B602", # subprocess_popen_with_shell_equals_true |
103 | | - "B603", # subprocess_without_shell_equals_true |
104 | | - "B604", # any_other_function_with_shell_equals_true |
105 | | - "B605", # start_process_with_a_shell |
106 | | - "B606", # start_process_with_no_shell |
107 | | - "B607", # start_process_with_partial_path |
108 | | - "B608", # hardcoded_sql_expressions |
109 | | - "B609", # linux_commands_wildcard_injection |
110 | | - "B610", # django_extra_used |
111 | | - "B611", # django_rawsql_used |
112 | | - "B701", # jinja2_autoescape_false |
113 | | - "B702", # use_of_mako_templates |
114 | | - "B703", # django_mark_safe |
115 | | -] |
| 1 | +--- |
| 2 | +exclude_dirs: |
| 3 | + - tests |
| 4 | + - app/tests |
| 5 | + - .venv |
| 6 | + - venv |
| 7 | + - __pycache__ |
| 8 | + - .pytest_cache |
| 9 | + - node_modules |
| 10 | + - .git |
| 11 | + |
| 12 | +skips: |
| 13 | + - B101 # assert_used - Los asserts son normales en tests |
| 14 | + - B601 # paramiko_calls - No usamos paramiko |
| 15 | + - B602 # subprocess_popen_with_shell_equals_true - Controlado |
| 16 | + - B603 # subprocess_without_shell_equals_true - Permitido si es necesario |
| 17 | + - B607 # start_process_with_partial_path - Paths relativos OK en algunos casos |
| 18 | + |
| 19 | +confidence: MEDIUM |
| 20 | +severity: LOW |
| 21 | +format: json |
| 22 | + |
| 23 | +max_lines_per_function: 100 |
| 24 | + |
| 25 | +tests: [] |
0 commit comments