A tool for finding security issues in Python code (https://bandit.readthedocs.io).

Backend: pants.backend.python.lint.bandit
Config section: [bandit]

Basic options

skip

--[no-]bandit-skip

PANTS_BANDIT_SKIP

default: False

Don't use Bandit when running ./pants lint.


args

--bandit-args="[<shell_str>, <shell_str>, ...]"

PANTS_BANDIT_ARGS

default: []

Arguments to pass directly to Bandit, e.g. --bandit-args='--skip B101,B308 --confidence'.


export

--[no-]bandit-export

PANTS_BANDIT_EXPORT

default: True

If true, export a virtual environment with Bandit when running ./pants export.

This can be useful, for example, with IDE integrations to point your editor to the tool's binary.


Advanced options

version

--bandit-version=<str>

PANTS_BANDIT_VERSION

default: bandit>=1.7.0,<1.8

Requirement string for the tool.


extra_requirements

--bandit-extra-requirements="['<str>', '<str>', ...]"

PANTS_BANDIT_EXTRA_REQUIREMENTS

default:
[
  "setuptools",
  "GitPython==3.1.18"
]

Any additional requirement strings to use with the tool. This is useful if the tool allows you to install plugins or if you need to constrain a dependency to a certain version.


lockfile

--bandit-lockfile=<str>

PANTS_BANDIT_LOCKFILE

default: <default>

Path to a lockfile used for installing the tool.

Set to the string <default> to use a lockfile provided by Pants, so long as you have not changed the --version and --extra-requirements options, and the tool's interpreter constraints are compatible with the default. Pants will error or warn if the lockfile is not compatible (controlled by [python].invalid_lockfile_behavior). See https://github.com/pantsbuild/pants/blob/release_2.13.1rc0/src/python/pants/backend/python/lint/bandit/bandit.lock for the default lockfile contents.

Set to the string <none> to opt out of using a lockfile. We do not recommend this, though, as lockfiles are essential for reproducible builds.

To use a custom lockfile, set this option to a file path relative to the build root, then run ./pants generate-lockfiles --resolve=bandit.

As explained at Third-party dependencies, lockfile generation via generate-lockfiles does not always work and you may want to manually generate the lockfile. You will want to set [python].invalid_lockfile_behavior = 'ignore' so that Pants does not complain about missing lockfile headers.


console_script

--bandit-console-script=<str>

PANTS_BANDIT_CONSOLE_SCRIPT

default: bandit

The console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.


entry_point

--bandit-entry-point=<str>

PANTS_BANDIT_ENTRY_POINT

default: None

The entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.


config

--bandit-config=<file_option>

PANTS_BANDIT_CONFIG

default: None

Path to a Bandit YAML config file (https://bandit.readthedocs.io/en/latest/config.html).


Deprecated options

None


Did this page help you?