Skip tests folder on pre-commit

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.

https://bandit.readthedocs.io

Apache License 2.0

6.48k stars 606 forks source link

Skip tests folder on pre-commit #912

Open wellingtonf-souza opened 2 years ago

wellingtonf-souza commented 2 years ago

Describe the bug

running bandit --configfile bandit.yaml -r . test folders are correctly ignored according to the settings present in bandit.yaml, however this configuration with the pre-commit is ignored.

Reproduction steps

bandit.yaml:

exclude_dirs:
    - '/tests'
    - '/venv'

.pre-commit-config.yaml:
repos:
-   repo: https://github.com/PyCQA/bandit
    rev: 1.7.4
    hooks:
    - id: bandit
      args: ["--configfile", "bandit.yaml", "-r", "."]
      stages: [commit]

Expected behavior

It is expected that with pre-commit the folders indicated in exclude_dirs will also be ignored.

Bandit version

1.7.4 (Default)

Python version

3.7

Additional context

No response

mportesdev commented 2 years ago

I think you should convert the paths in exclude_dirs to relative paths (by removing the leading slashes). It fixed the problem for me.

Also, I would recommend to remove -r and . from the pre-commit hook's arguments. Typically, you only want to apply the hook to the files included in the commit. pre-commit takes care of this automatically by internally passing the affected files as arguments to the pre-commit hook's executable.

jslay88 commented 1 year ago

I've tried every combination of tests, tests/*, */tests, */tests/*, etc and cannot seem to get this to work with pre-commit.

pyproject.toml

[tool.bandit]
exclude_dirs = ["tests"]

.pre-commit-config.yaml

  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.4
    hooks:
      - id: bandit
        args: ['-c', 'pyproject.toml']
        additional_dependencies: ["bandit[toml]"]

No dice with it failing on the asserts in the tests in the commit.

Only thing I can get to work is to add my exclusions to the args in .pre-commit-config.yaml.

JensHeinrich commented 1 year ago

I think I found the reason while poking around in the code: In https://github.com/PyCQA/bandit/blob/main/bandit/core/manager.py#L412 and https://github.com/PyCQA/bandit/blob/main/bandit/core/manager.py#L245-L253 the excluded path is ignored as the file names are passed to bandit by pre-commit as full paths unless it es configured differently: https://pre-commit.com/#hooks-pass_filenames

fjsj commented 1 year ago

@JensHeinrich is right. Due to https://github.com/PyCQA/bandit/blob/ca4faf2f82a7c68a088100f8ba2b8e56f9bdcfe3/bandit/core/manager.py#L245-L253

bandit will scan a file included in a commit regardless of whether it's excluded. I had to add my exclusions from .bandit file in .pre-commit-config.yaml with something like exclude: (.*/?(tests|fixtures|venv|env|node_modules)/.+|.+/settings/local\.py)

alfechner commented 10 months ago

I have the exact same issue using a .bandit config file and this pre-commit config:

repos:
    - repo: https://github.com/PyCQA/bandit
      rev: 1.7.6
      hooks:
          - id: bandit
            args: ["--ini", ".bandit"]

Any update on this?

ahn-nath commented 8 months ago

@alfechner The suggestion from @fjsj works for me.