pants: Bandit plugin used by flake8 can't read the config from the bandit's config

Yeah but I feel like based on different plugins, this can be quite varied. E.g. if it’s flake8-bandit, the glob could be [".bandit"]. If it’s flake8-pydocstyle, it could be [".pydocstyle"]. I don’t see a clear glob pattern here.

EDIT: Sorry, I understand now you mean flake8_subsystem.extra_files

Hey @ShantanuKumar sorry for the delay! Was moving apartments and OOO.

1. Add a new option extra_files to bandit/subsystem.py, which will be advanced=True and type FileListOption
2. Add Get(Digest, PathGlobs()) here for the extra_files. Error if the globs are not matched, similar to second snippet. Include the digest in the MergeDigests

https://github.com/pantsbuild/pants/blob/40e17902092a9b7414473f99bf32e3f3c84e5921/src/python/pants/backend/python/lint/bandit/rules.py#L52-L68

https://github.com/pantsbuild/pants/blob/40e17902092a9b7414473f99bf32e3f3c84e5921/src/python/pants/core/util_rules/config_files.py#L64-L71

I think we likely want to add a test to bandit/rules_integration_test.py, although tests do have a downside with slower CI and more code, so it’s a tradeoff. I wonder if you can modify a current test like test_3rdparty_plugin to test both things in the same test. Otherwise, a dedicated test is probably worth it.

Cool. So then in your case, this would look like:

[flake8]
plugin_config = [[".bandit", ""]]  # i.e. no args

or

[flake8]
plugin_config = [".bandit"]

That second one is much clearer in my opinion. And maybe we make this even more generic? That option tells pants to find that file on your local file system and include it in the sandbox.

[flake8]
extra_files = [".bandit"]

Wdyt?

They say that using .bandit should work. This is how my .bandit looks like

skips: ["B101"]

try_except_continue:
  check_typed_exception: false
try_except_pass:
  check_typed_exception: false