How can I make bandit skip B101 within tests?

Question

I'm using bandit to check my code for potential security issues:

bandit -r git-repository/

However, the most common item found by bandit is B101. It is triggered by assert statements within tests. I use pytest, so this is not a concern, but a good practice. I've now created a .bandit file with

[bandit]
skips: B101

But that also skips a lot of other code. Is there a solution to this issue?

score 17 · Answer 1 · answered Nov 16 '21 at 19:53

17

Based on this comment,

when using --recursive the whole path is fnmatched against the glob_list, therefore an --exclude_dir expression test_*.py doesn't matches and excludes (py)test files in subdirectories, for that */test_*.py is needed.

The following configuration should solve your problem:

assert_used:
  skips: ["*/test_*.py", "*/test_*.py"]

answered Nov 16 '21 at 19:53

diegovalenzuelaiturra

261
3
4

FWIW I had to update an old codebase from 1.5.1 to 1.74 to get this to work – elhefe Jul 26 '22 at 23:44
`**/test_*.py` glob can be used for deeper nested test modules. – Ledorub May 12 '23 at 13:39

score 14 · Answer 2 · answered Sep 08 '22 at 12:59

14

Just wanted to add to the answers above and mention the toml equivalent of skipping assert_used for specific files:

[tool.bandit.assert_used]
skips = ['*_test.py', '*/test_*.py']

answered Sep 08 '22 at 12:59

Aaron Alphonso

336
3
6

angelo-peronio · Accepted Answer · 2022-03-22T14:52:37.047

A possible solution is to tell bandit to skip tests altogether. Assuming your code lives in a src subfolder, run

bandit --configfile bandit.yaml --recursive src

with the following bandit.yaml in the project's root directory

# Do not check paths including `/tests/`:
# they use `assert`, leading to B101 false positives.
exclude_dirs:
    - '/tests/'

There is a bunch of related issues and pull requests.

Update: I like Diego's solution better.

score 4 · Answer 4 · answered Mar 25 '21 at 07:51

You can configure files that skip this check. This is often useful when you use assert statements in test cases.

bandit --configfile bandit.yaml

with the following bandit.yaml in the project's root directory

assert_used:
  skips: ['*_test.py', 'test_*.py']

Link to the original doc

janpeterka · Answer 5 · 2020-09-21T09:34:19.897

2

Based on documentation, your config should look like skips: ['B101'], not skips: B101 (which you have).

EDIT:
Ok, so if I understand correctly, you want to skip B101 on your tests folder. I am not aware of any way to specify this, but I can think of hack of a sort - just run bandit two times - once ignoring tests, and once only on tests skipping B101. I know, it's not most elegant way, but it should solve your problem.

edited Sep 21 '20 at 09:34

answered Sep 18 '20 at 18:58

janpeterka

568
4
17

1

This is exactly what I have in my question where I wrote it's not what I want – Martin Thoma Sep 18 '20 at 19:52
3

`skips: ['B101']` and `skips: B101` are not the same thing. Are you sure you have the right thing in your config? – Throw Away Account Sep 18 '20 at 20:52
@ThrowAwayAccount Yes, I am. As stated in the question, I'm not asking for a solution to skip all B101 checks. I'm asking to skip B101 only for code in a given directory. – Martin Thoma Sep 20 '20 at 18:09
@MartinThoma that wasn't clear from your question, so I was answering something else. So, you want to skip B101 only in /test directory? – janpeterka Sep 21 '20 at 09:28
Yes, I only want to skip B101 within the tests directory. In other directories, I want to still have this. – Martin Thoma Sep 21 '20 at 09:37
Thanks for clarification. Edited my answer with possible solution. – janpeterka Sep 21 '20 at 09:41
For the hack: Can I have two different configurations for bandit? Is there something like "inheritence" for bandit configuration? – Martin Thoma Sep 22 '20 at 11:28
No idea about "inheritance", but you can specify your used config in your CLI `bandit` command. Now the rest depends on your specific usecase - I use precommit, where I can run bandit two times and specify config there each time (as file or just args). Same can be done in GitHub Actions. You can also create simple shell script with these defined bandit checks and run it instead of directly using CLI. – janpeterka Sep 23 '20 at 10:22

score 1 · Answer 6 · answered Oct 11 '22 at 17:54

How I achieved bandit skip B101 within tests in Visual Studio Code:

in the project's root I have bandit.yaml file with the following content:

assert_used:
    skips: ["*/test_*.py"]

In the settings.json file I have:

"python.linting.banditArgs": [
    "-r",
    "--configfile",
    "${workspaceFolder}/bandit.yaml"
],

score 0 · Answer 7 · answered Jun 06 '23 at 20:21

I have the following in my pyproject.toml:

[tool.bandit]
exclude_dirs = [".venv", "tests"]
skips = ["B307"]

From the command line I just add -c pyproject.toml and bandit reads the configuration from there.

In VSCode:

"python.linting.banditArgs": [
    "--configfile",
    "pyproject.toml"
]

How can I make bandit skip B101 within tests?

7 Answers7