-
Notifications
You must be signed in to change notification settings - Fork 1
/
bandit.yaml
37 lines (31 loc) · 1.42 KB
/
bandit.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
exclude_dirs:
- ./.pybuild/
- ./build/
- ./debian/
- ./tests/
skips:
# We use python >= 3.8
- B309
# This check says that the TLS context is "insecure", because it does not
# conform to WebPKI checking algorithm. In RA-TLS, we intentionally don't do
# certificate checks according to WebPKI. We check the certs with RA-TLS.
- B323
# https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
# We have duly considered possible security implications of importing
# subprocess and concluded that there are in fact no implications in this
# project.
# We treat security very seriously.
- B404
# https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
# Yeah, we run commands with subprocess, so what.
- B603
# https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html
# We use docker and is-sgx-avaliable as provided by external packages. We rely
# on properly configured $PATH for that, which is perfectly normal.
- B607
# https://bandit.readthedocs.io/en/latest/plugins/b701_jinja2_autoescape_false.html
# Jinja's autoescape is specific to HTML, and we mostly render Dockerfiles and
# other configs, so having autoescape is at best useless, and at worst adds
# cognitive load to developers who would have keep in mind which templates are
# autoescaped and which aren't.
- B701