bandit: Exclude paths in config file ignored if passing specific files to Bandit CLI

I just ran into the same issue. Which makes this pretty bad for me right now is that bandit is executed via a CI-pipeline defined by a centrally configured GitLab instance. This always runs bandit using bandit -r <package_name> and I don’t have direct control over this in the project.

In my project I have some files that I want to exclude and wrote them into .bandit

Yet, the pipeline still fails because of this issue.

So now I’m forced to write # nosec comments into all files in a given subfolder even though that particular subfolder only contains utilities which never receive end-user input and could be ignored alltogether.

ini file for dir exclusion doesn’t work with -roption. It’s super confusing.

My .bandit

[bandit]
exclude: test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests
skips: B101,B311

Running with bandit -r .

[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for skipped tests

Tests dirs and files are not ignored but everything works fine with bandit -x "test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests" -r .

I am confused.

Is there a current workaround? bandit is unusable at the moment as all test files are marked as false positives because of the usage of assert.

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

How did you even find out about the possibility of mentioning args in the config file? The docs don’t mention this

This refers to pre-commit - not to bandit - for those you do not run bandit directly, but via pre-commit - highly recommended to run linters.

I do not use a config file but have also regarding problems with pre-commit.

When I run bandit -x "./.tox/*,./.eggs/*,./tests/*" -r . it works just fine.

When I run bandit with pre-commit I get an “error” in the output: --exclude ./.tox/*,./.eggs/*,./tests/* (No such file or directory)

pre-commit-config.yaml:

  - repo: https://github.com/PyCQA/bandit
    rev: 1.6.2
    hooks:
      - id: bandit
        args: ["--exclude ./.tox/*,./.eggs/*,./tests/*"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

And when I run bandit -x .tox,.eggs,tests -r . it is not working because the ignores get ignored and bandit checks everything. I get the same result when I run bandit -r .. Here the .tox directory gets also checked though it should not because of the default ignores.

@vinicyusmacedo – My issue is actually unrelated to #488 and exists in 1.5.1 as well.

After further investigation, what’s actually happening is that the excluded paths in the config file are being ignored when passing specific files to bandit – even though excluding from the CLI works:

In v1.5.1:

$ bandit --version
bandit 1.5.1
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

$ cat .bandit
[bandit]
exclude: node_modules

$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...

$ bandit -x node_modules ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...

In v1.6.0:

$ bandit --version
bandit 1.6.0
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

$ cat .bandit
[bandit]
exclude: ./node_modules/*

$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...

$ bandit -x "./node_modules/*" ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...

I believe the two excluding methods should have consistent behavior, which is to not process the file in either case. This is especially important if one wants to exclude paths with the pre-commit hook.

Thanks!

That’s my plan, yes

Running into the same problem. Tried all combinations of ini, pyproject, yaml. Unable to exclude. Can this issue be reopened?

Has this been released yet? I’m currently on bandit 1.7.4 and it still behaves the same way.

I have a package in the enm subfolder and the following .bandit file:

---
targets: "enm"
exclude: "enm/vendor"

and I’m calling it as follows (execution line is out of my control as it is in a CI pipeline):

bandit -r enm

And even though the config-file exists, it still drills into the enm/vendor folder causing the pipeline to fail.

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

Yeah, I think that could be the case. In the meantime I change from directly running bandit to running it via flake8-bandit and running flake8 via flakehell which enables you to customize the behavior auf every single flake8 extension for each and very file for example.

Actually, if the target is a file, Bandit doesn’t look for a .bandit file anywhere; see #332.

In this scenario the .bandit file is completely ignored. Bandit only looks for config files where the target is, or recursively in subdirectories.

The relevant code is in bandit.cli.main._get_options_from_ini.