-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbandit.yml
More file actions
42 lines (38 loc) · 1.54 KB
/
Copy pathbandit.yml
File metadata and controls
42 lines (38 loc) · 1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Bandit configuration.
# Reference: https://bandit.readthedocs.io/en/latest/config.html
#
# Philosophy:
# - Run the full default test suite.
# - Skip B101 (assert_used) inside tests/ and example fixtures only --
# production code still gets it.
# - Fail the gate on Medium and above; surface Low as informational.
# Directories that are excluded from the entire scan.
# (eval/cloned_repos contains third-party code we benchmark against; do not
# audit it as if it were ours. tests/ is excluded only in selected projects;
# here we keep tests in scope but skip B101 below.)
#
# Note: Bandit's exclude_dirs matches as a substring on each scanned path.
# Use bare directory names (no leading slash) so the match fires on relative
# paths in repo checkouts.
exclude_dirs:
- "tests"
- "eval/cloned_repos"
- ".venv"
- "venv"
- "build"
- "dist"
- ".git"
# Specific files excluded from scanning (Bandit doesn't support
# `exclude` keys on files, so we list them in the wrapper script).
# - eval/semgrep_corpus.py contains intentional bad patterns used as
# the Semgrep self-test corpus; it is excluded via the `--exclude` CLI
# flag in scripts/local_scan.sh and the workflow.
# Selectively skip individual checks.
# B101 (assert_used) is intentionally allowed in tests via path-based skip
# above; we do not skip it globally.
skips: []
# Only fail on these severities (Bandit treats this as a global threshold).
# Used by some Bandit invocations; the CLI flags in security.yml are the
# canonical source of truth.
severity: medium
confidence: medium