From 3b68098be42b856471fa1cc39f359d6649585df4 Mon Sep 17 00:00:00 2001 From: Sharath Kumar K Date: Mon, 4 May 2020 08:01:38 +0200 Subject: [PATCH] Tox and Zuul job for the python code scan in starlingx/ha Setting up the bandit tool for the scanning of HIGH severity issues in the python codes under Starlingx/ha folder. Expecting this merge will enable zuul job for CI/CD of bandit scan. Configuration files: 1. tox.ini for adding bandit environment and command. 2. test-requirements.txt for adding bandit version. 3. .zuul.yaml file for adding bandit job and configuring under check job to run code scan every time before code commit. Test: Run tox -e bandit command inside the fault folder to validate the bandit scan and result. Please note: Changes will be implemented in batches and this is Batch3 change. Story: 2007541 Task: 39621 Depends-On: https://review.opendev.org/#/c/721294/ Change-Id: I01f81d7c52c12432965106f9603e4db600381971 Signed-off-by: Sharath Kumar K --- .zuul.yaml | 1 + test-requirements.txt | 1 + tox.ini | 6 ++++++ 3 files changed, 8 insertions(+) diff --git a/.zuul.yaml b/.zuul.yaml index 7cefee77..85a56388 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -4,6 +4,7 @@ - publish-stx-docs - stx-api-ref-jobs - stx-release-notes-jobs + - stx-bandit-jobs check: jobs: - openstack-tox-pep8 diff --git a/test-requirements.txt b/test-requirements.txt index 47d1aec2..0375f1c0 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,3 +1,4 @@ bashate >= 0.2 PyYAML >= 3.1.0 yamllint >= 0.5.2 +bandit!=1.6.0,>=1.1.0,<2.0.0 diff --git a/tox.ini b/tox.ini index 7038b092..55631319 100644 --- a/tox.ini +++ b/tox.ini @@ -130,3 +130,9 @@ commands = rm -rf api-ref/build sphinx-build -W -b html -d api-ref/build/doctrees api-ref/source api-ref/build/html whitelist_externals = rm + +[testenv:bandit] +basepython = python3 +description = Bandit code scan for *.py files under config folder +deps = -r{toxinidir}/test-requirements.txt +commands = bandit -r {toxinidir}/ -x '**/.tox/**',**/.eggs/** -lll