search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.34k stars 598 forks source link

Add config via setup.cfg #736

Open okainov opened 3 years ago

okainov commented 3 years ago

Is your feature request related to a problem? Please describe.

I'd like to use single setup.cfg file for many different linters/plugins/style checkers. Currently bandit requires to have special config for it and is not able to read setup.cfg.

Describe the solution you'd like

  1. Check multiple different paths for config file by default
  2. Implement proper parsing of setup.cfg (which is not YAML but more like INI-like format)

Example:


[isort]
# https://github.com/timothycrosley/isort/wiki/isort-Settings
line_length=119
case_sensitive=True
multi_line_output=7
force_single_line=True
default_section=THIRDPARTY

[bandit]
# https://bandit.readthedocs.io/en/latest/blacklists/index.html#
tests: ['B603']

[flake8]
# https://flake8.pycqa.org/en/latest/user/configuration.html
show_source = True

per-file-ignores =
    python/pypi/*: WPS300, WPS442

Describe alternatives you've considered Separating configs which works, but clutters the workspace with files

Additional context Basically the same as https://github.com/PyCQA/bandit/issues/212 (which was probably closed by mistake)

asears commented 2 years ago

Would it make more sense to use pyproject.toml for this effort as part of modernization? See #550 which is awaiting some publish.

okainov commented 2 years ago

@asears yes and no :) From one side I'm all for supporting different formats, if it makes some folks happy, why not, more is not less. From the other side, in our projects we do use setup.cfg with a lot of different tools and plugins and even if we would like to migrate to something (and we probably are not really into that for now), it wouldn't be so trivial and fast. And so far Bandit is the only tool from our set which doesn't support setup.cfg as-is. So as a user I would love to see this implemented.

devops-hacks commented 2 years ago

@asears Both my thumbs up go for this feature request - we only use setup.cfg files at present as our code base has NOT been modernized and I don't think it will, because it simply works as it is and we have hundreds of python project only with setup.cfg files...

ssbarnea commented 1 year ago

Should be refused as won't fix due to PEP-621