Skip to content

Fix bandit B108 false positive warnings in agent examples #4107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

Fix bandit B108 false positive warnings in agent examples #4107

wants to merge 10 commits into from
+3 −3

Conversation

@strickvl
Copy link
Contributor

@strickvl strickvl commented Oct 29, 2025
edited
Loading

Suppresses false positive bandit B108 security warnings in the CrewAI and Haystack agent framework integration examples. These warnings were flagging hardcoded /tmp paths, but the code is actually secure.

Changes

Added # nosec B108 suppression comments with explanations to:

  • examples/agent_framework_integrations/crewai/run.py (lines 23, 25)
  • examples/agent_framework_integrations/haystack/run.py (line 21)

Why This is Safe

The flagged code sets Docker environment variables (HOME and XDG_DATA_HOME) to /tmp paths for containerized execution. This is not the insecure temp file operation that bandit's B108 rule is designed to catch. In Docker containers, /tmp is the standard location for ephemeral storage, and there's no security risk from:

  • Symlink attacks (isolated container filesystem)
  • Race conditions (single process environment)
  • Predictable paths (ephemeral container lifecycle)

Testing

Verified with targeted bandit scan:

bandit -c pyproject.toml -ll examples/agent_framework_integrations/crewai/run.py examples/agent_framework_integrations/haystack/run.py

Result: No issues identified (3 potential issues correctly skipped via nosec)

Note

These are example/demo files demonstrating integration patterns, not production security-critical code.

@strickvl
Suppress false positive bandit B108 warnings in agent examples
96f4f33 
Add nosec comments to Docker environment variable configurations
in CrewAI and Haystack examples. These /tmp paths are safe Docker
env vars for writable storage locations, not insecure temp file
operations that bandit's B108 rule is designed to catch.
@github-actions github-actions bot added the internal To filter out internal PRs and issues label Oct 29, 2025
@strickvl strickvl added run-slow-ci and removed internal To filter out internal PRs and issues labels Oct 29, 2025
@strickvl strickvl added internal To filter out internal PRs and issues fix CI labels Oct 29, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025
edited
Loading

Documentation Link Check Results

Absolute links check passed
Relative links check passed
Last checked: 2025-10-31 17:46:21 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@htahir1 htahir1 htahir1 approved these changes

@bcdurak bcdurak bcdurak approved these changes

@stefannica stefannica Awaiting requested review from stefannica

Assignees

No one assigned

Labels

CI fix internal To filter out internal PRs and issues run-slow-ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@strickvl @htahir1 @bcdurak