bandit
A tool for finding security issues in Python code (https://bandit.readthedocs.io).
Backend: pants.backend.python.lint.bandit
Config section: [bandit]
Basic options
False
Don't use Bandit when running ./pants lint
.
[]
Arguments to pass directly to Bandit, e.g. --bandit-args='--skip B101,B308 --confidence'
.
True
If true, export a virtual environment with Bandit when running ./pants export
.
This can be useful, for example, with IDE integrations to point your editor to the tool's binary.
Advanced options
bandit>=1.7.0,<1.8
Requirement string for the tool.
extra_requirements
extra_requirements
--bandit-extra-requirements="['<str>', '<str>', ...]"
PANTS_BANDIT_EXTRA_REQUIREMENTS
[ "setuptools", "GitPython==3.1.18" ]
Any additional requirement strings to use with the tool. This is useful if the tool allows you to install plugins or if you need to constrain a dependency to a certain version.
<default>
Path to a lockfile used for installing the tool.
Set to the string <default>
to use a lockfile provided by Pants, so long as you have not changed the --version
and --extra-requirements
options, and the tool's interpreter constraints are compatible with the default. Pants will error or warn if the lockfile is not compatible (controlled by [python].invalid_lockfile_behavior
). See https://github.com/pantsbuild/pants/blob/release_2.12.1/src/python/pants/backend/python/lint/bandit/bandit.lock for the default lockfile contents.
Set to the string <none>
to opt out of using a lockfile. We do not recommend this, though, as lockfiles are essential for reproducible builds.
To use a custom lockfile, set this option to a file path relative to the build root, then run ./pants generate-lockfiles --resolve=bandit
.
As explained at Third-party dependencies, lockfile generation via generate-lockfiles
does not always work and you may want to manually generate the lockfile. You will want to set [python].invalid_lockfile_behavior = 'ignore'
so that Pants does not complain about missing lockfile headers.
bandit
The console script for the tool. Using this option is generally preferable to (and mutually exclusive with) specifying an --entry-point since console script names have a higher expectation of staying stable across releases of the tool. Usually, you will not want to change this from the default.
None
The entry point for the tool. Generally you only want to use this option if the tool does not offer a --console-script (which this option is mutually exclusive with). Usually, you will not want to change this from the default.
None
Path to a Bandit YAML config file (https://bandit.readthedocs.io/en/latest/config.html).
Deprecated options
None
Updated 9 months ago