ci: move Bandit config to pyproject.toml

Molkree · Molkree · commit 1e95c0cc2ff8 · 2025-10-05T19:03:38.000+04:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -39,7 +39,8 @@ repos:
     hooks:
       - id: bandit
         exclude: ^fuzz/generated/
-        args: ["-c", "bandit.conf"]
+        args: ["-c", "pyproject.toml"]
+        additional_dependencies: [ "bandit[toml]" ]
 
   - repo: https://github.com/jorisroovers/gitlint
     rev: v0.19.1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -258,18 +258,18 @@ specify a whole folder using ```./```
 
 ### Running bandit by itself
 
-We have a configuration file for bandit called `bandit.conf` that you should use.  This disables a few of the checkers.
+We have configuration section for Bandit in our `pyproject.toml`.  This disables a few of the checkers.
 
 To run it on all the code we scan, use the following:
 
 ```bash
-bandit -c bandit.conf -r cve_bin_tool/ test/
+bandit -c pyproject.toml -r cve_bin_tool/ test/
 ```
 
 You can also run it on individual files:
 
 ```bash
-bandit -c bandit.conf filename.py
+bandit -c pyproject.toml filename.py
 ```
 
 If you run it without the config file, it will run a few extra checkers, so you'll get additional warnings.
diff --git a/bandit.conf b/bandit.conf
diff --git a/pyproject.toml b/pyproject.toml
@@ -115,6 +115,12 @@ version = { attr = "cve_bin_tool.version.VERSION" }
 "sbom" = ["*.spdx", "*.json"]
 "mismatch" = ["*.py"]
 
+[tool.bandit]
+skips = ["B603", "B607", "B404"]
+
+[tool.bandit.assert_used]
+skips = ["*/test_*.py"]
+
 [tool.coverage.run]
 source = ["cve_bin_tool", "test"]
 branch = true
