6

I'm trying to use pyproject.toml to exclude the venv/ directory. But it is not recognising the option.

[tool.bandit]
exclude = "/venv"

[tool.black]
exclude = "(venv)"

[tool.isort]
profile = "black"
skip = "venv"
balanced_wrapping = true
atomic = true

If I use the CLI option like so:

$ bandit -v -r . --exclude "/venv"

the directory is excluded. But if I just run bandit, it doesn't exclude the directory even though I have it in the pyproject.toml.

My bandit version is: 1.7.1.

Francisco Puga
  • 23,869
  • 5
  • 48
  • 64
felix001
  • 15,341
  • 32
  • 94
  • 121

2 Answers2

10

exclude did not work for me, so I looked through official docs and found this:

enter image description here

We can specify dirs (and files as well) that we want to exclude in a list format

pyproject.toml:

[tool.bandit]
exclude_dirs = ["venv",]

From this documentation:

"Also you can configure bandit via pyproject.toml file. In this case you would explicitly specify the path to configuration via -c too."

Therefore, CLI option would look like this:

bandit -v -r . -c "pyproject.toml"

(will work without quotes as well)

enter image description here

I've never used bandit before, so if I got your question wrong - please feel free to write back, we will figure that out :D

barni
  • 436
  • 3
  • 8
  • 5
    There's one other detail left as a trap for the unwary: if you're using Python prior to 3.11, you need to install the `toml` module or use `bandit[toml]` to pull in the optional dependency. https://github.com/PyCQA/bandit/issues/318 touches on the need for an explicit `-c` argument. – Chris Adams Mar 17 '22 at 23:41
0

To exclude directory venv, this command works fine for me :

bandit -r . -x */venv/*
Peacefull
  • 546
  • 6
  • 24