move bandit excludes to pyproject.toml

Move the list of excluded files from --exclude in tox.ini to
exclude_dirs in pyproject.toml to centralize configuration in
pyproject.toml and make it accessible to tools and bandit invocations
outside of tox.

- Remove the comment that exclude is ignored by bandit 1.6.3+, which was
  fixed by PyCQA/bandit#722 in bandit 1.7.1.
- Change exclude (which only works for INI files) to exclude_dirs (which
  only works for TOML and YAML files), as described in
  PyCQA/bandit#876
- Add /.git/ and /__pycache__/ to exclude_dirs to match --exclude.
- Remove --exclude from invocation in tox.ini

Signed-off-by: Kevin Locke <[email protected]>

Author: kevinoid

pyproject.toml

@@ -18,11 +18,11 @@ requires = [
 build-backend = 'setuptools.build_meta'
 
 [tool.bandit]
-# Note: exclude is ignored by bandit 1.6.3 and later.
-# See https://github.com/PyCQA/bandit/issues/657
-exclude = [
+exclude_dirs = [
+    '/.git/',
     '/.tox/',
     '/.venv/',
+    '/__pycache__/',
 ]
 skips = [
     'B101', # assert_used (needed for pytest, arguably useful outside)

tox.ini

@@ -44,7 +44,7 @@ commands =
     # List files and top-level packages/directories explicitly for now.
     pylint docs setup.py src/packagename tests
     isort --check --diff .
-    bandit -c pyproject.toml -f txt --exclude /.git/,/.tox/,/.venv/,/__pycache__/ -r .
+    bandit -c pyproject.toml -f txt -r .
     pyroma .
     vulture --exclude */docs/*,*/tests/*,*/.tox/*,*/.venv*/* .
     black --check --diff .