Pre-commit hook runs bandit (#45)

cal-itp · Apr 28, 2021 · 16e5ea8 · 16e5ea8
1 parent 860d9be
commit 16e5ea8
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/.github/workflows/lint.yml → .github/workflows/pre-commit.yml b/.github/workflows/lint.yml → .github/workflows/pre-commit.yml
@@ -1,4 +1,4 @@
-name: Lint and formatting
+name: Pre-commit checks
 
 on:
   push:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -20,3 +20,10 @@ repos:
       - id: flake8
         types:
           - python
+  - repo: https://github.com/pycqa/bandit
+    rev: 1.7.0
+    hooks:
+      - id: bandit
+        args: ["-ll"]
+        exclude: ^server/
+        files: .py$
diff --git a/benefits/core/session.py b/benefits/core/session.py
@@ -21,10 +21,13 @@
 _LANG = "lang"
 _ORIGIN = "origin"
 _START = "start"
-_TOKEN = "token"
-_TOKEN_EXP = "token_exp"
 _UID = "uid"
 
+# ignore bandit B105:hardcoded_password_string
+# as these are not passwords, but keys for the session dict
+_TOKEN = "token"  # nosec
+_TOKEN_EXP = "token_exp"  # nosec
+
 
 def agency(request):
     """Get the agency from the request's session, or None"""