-
-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usage needlessly complicated #606
Comments
Actually one more thing just popped in my mind, that would make this better: the only reason I skip tests at all is It would probably be nice if we could set Even better would be automatically skipping |
Agree with all of the above, but I think that just dealing with #346 nicely would solve your need for configuration, and mine too... |
Hi, the following may be helpful to configure |
The documentation should cover such a topic.
No. In Scanning Behavior section, example YAML configuration is shown. And In Usage section,
What is a profile? How can I define it? Not explained anywhere. |
I just want to add, that with more and more tools allowing the whole config to be in a pyproject.toml, I would like to see this to be the default. Running The major reason behind this is, I think it makes life easier for those who work with CI jobs. Having one simple command (like |
I also suggested config file detection order in #317 (comment) |
Since it was merged a few months ago, it's now possible to partly work around the dumpster fire by using |
Is your feature request related to a problem? Please describe.
When setting up Bandit the usage is needlessly complicated. This is made even worse when I want to use things like pre-commit or otherwise get colleagues to use the same tools, as the configuration files are a mess.
There is no example that I can find for the
-c
config file. I tried to use the only format documented, the INI format, and it complained about some document start not being found, which sounds like it expects XML. I see no examples of XML configuration.The INI format config is supposed to be loaded by default from
.bandit
, it's not. I need to add--ini .bandit
or I get the completely false error messageNo targets found in CLI or ini files, exiting.
.. considering it sayspath to a .bandit file that supplies command line arguments
, AND the error claims to "not find" ini files, this should clearly be loaded by default.The INI format configuration is not well documented, just some handwavy "comma separated list of blah" instead of showing actual examples for most of the usage, and it fails to specify that it does not support comments at the end of lines.
E.g. this causes an error:
-r
argument, causing really stupid looking configuration and significant astonishment at the difficulties to get it to work.This causes an error
[bandit] targets: **/*.py
This does nothing:
[bandit] exclude: **/tests
This also fails to work, because directories cannot be excluded:
[bandit] exclude: tests,*/tests,*/*/tests,*/*/*/tests,... for as many levels as you guess your app will need
This also fails because the spaces are not trimmed around the
,
[bandit] exclude: tests/*, */tests/*, */*/tests/*, */*/*/tests/*, ... for as many levels as you guess your app will need
This seems to work though, if your code is e.g. in
app
directory and IF used withbandit --ini .bandit -r
:[bandit] include: app exclude: app/tests/*,app/*/tests/*,app/*/*/tests/*,app/*/*/*/tests/*,... for as many levels as you guess your app will need
pre-commit
, but Bandit ignores theexclude
from the INI file even with the explicitly set--ini .bandit
arg, I imagine becausepre-commit
gives it a list of files as arguments, so I have to re-do the exclude in.pre-commit-config.yaml
.You should be able to tell by now why this just feels wrong on so many levels and is at the very least needlessly complicated.
Describe the solution you'd like
bandit . -r
should be the default operation, with something like--no-recurse
to override the recursion.bandit
configuration (and I really hope soonpyproject.toml
configuration) should be read automatically-c
configuration example file should be in the repo's README, and the--ini
should be properly documented as well.bandit
and other configuration should be respected regardless of ifbandit
gets a list of filenames as arguments or not, though of course it should be possible to override configuration when necessary .. the expectation is thattargets: app
with-r
andapp/file.py
as argument have the same effect with the same configuration.bandit
and other configuration formats should be fully capable of making the tool run properly by default without requiring constant manual edits, i.e. they should support the recursion (if1.
is implemented less important), and they should support proper globs both fortargets
andexclude
The text was updated successfully, but these errors were encountered: