Version: 2.18 (deprecated)

bandit

A tool for finding security issues in Python code (https://bandit.readthedocs.io).

Backend: pants.backend.python.lint.bandit

Config section: [bandit]

Basic options

`args`

--bandit-args="[<shell_str>, <shell_str>, ...]"
PANTS_BANDIT_ARGS

pants.toml
[bandit]
args = [
    <shell_str>,
    <shell_str>,
    ...,
]

default: []

Arguments to pass directly to Bandit, e.g. --bandit-args='--skip B101,B308 --confidence'.

`skip`

--[no-]bandit-skip
PANTS_BANDIT_SKIP

pants.toml
[bandit]
skip = <bool>

default: False

If true, don't use Bandit when running pants lint.

Advanced options

`config`

--bandit-config=<file_option>
PANTS_BANDIT_CONFIG

pants.toml
[bandit]
config = <file_option>

default: None

Path to a Bandit YAML config file (https://bandit.readthedocs.io/en/latest/config.html).

`console_script`

--bandit-console-script=<str>
PANTS_BANDIT_CONSOLE_SCRIPT

pants.toml
[bandit]
console_script = <str>

default: bandit

The console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.

`entry_point`

--bandit-entry-point=<str>
PANTS_BANDIT_ENTRY_POINT

pants.toml
[bandit]
entry_point = <str>

default: None

The entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.

`install_from_resolve`

--bandit-install-from-resolve=<str>
PANTS_BANDIT_INSTALL_FROM_RESOLVE

pants.toml
[bandit]
install_from_resolve = <str>

default: None

If specified, install the tool using the lockfile for this named resolve.

This resolve must be defined in [python].resolves, as described in https://www.pantsbuild.org/v2.18/docs/python-third-party-dependencies#user-lockfiles.

The resolve's entire lockfile will be installed, unless specific requirements are listed via the requirements option, in which case only those requirements will be installed. This is useful if you don't want to invalidate the tool's outputs when the resolve incurs changes to unrelated requirements.

If unspecified, and the lockfile option is unset, the tool will be installed using the default lockfile shipped with Pants.

If unspecified, and the lockfile option is set, the tool will use the custom bandit "tool lockfile" generated from the version and extra_requirements options. But note that this mechanism is deprecated.

`requirements`

--bandit-requirements="['<str>', '<str>', ...]"
PANTS_BANDIT_REQUIREMENTS

pants.toml
[bandit]
requirements = [
    '<str>',
    '<str>',
    ...,
]

default: []

If install_from_resolve is specified, install these requirements, at the versions provided by the specified resolve's lockfile.

Values can be pip-style requirements (e.g., tool or tool==1.2.3 or tool>=1.2.3), or addresses of python_requirement targets (or targets that generate or depend on python_requirement targets).

The lockfile will be validated against the requirements - if a lockfile doesn't provide the requirement (at a suitable version, if the requirement specifies version constraints) Pants will error.

If unspecified, install the entire lockfile.

Deprecated options

None

Basic options​

args​

skip​

Advanced options​

config​

console_script​

entry_point​

install_from_resolve​

requirements​

Deprecated options​

Related subsystems​

Basic options

`args`

`skip`

Advanced options

`config`

`console_script`

`entry_point`

`install_from_resolve`

`requirements`

Deprecated options

Related subsystems