update bandit config

HosseinNejatiJavaremi · HosseinNejatiJavaremi · commit 1ed10e21b42b · 2025-08-11T10:44:01.000+03:30
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
@@ -6,6 +6,10 @@
 # Bandit is a security linter designed to find common security issues in Python code.
 # This action will run Bandit on your codebase.
 # The results of the scan will be found under the Security tab of your repository.
+#
+# Configuration: This workflow uses pyproject.toml for centralized security settings.
+# Local development: make security (uses pyproject.toml)
+# CI/CD: This workflow (uses pyproject.toml via ini_path)
 
 # https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
 # https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
@@ -38,14 +42,11 @@ jobs:
           # Github token of the repository (automatically created by Github)
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
           # File or directory to run bandit on
-          # path: # optional, default is .
+          path: archipy/ # Scan the archipy directory (matches local make security command)
           # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
           # level: # optional, default is UNDEFINED
           # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
           # confidence: # optional, default is UNDEFINED
-          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-          excluded_paths: "features,docs,scripts"
-          # comma-separated list of test IDs to skip
-          # skips: # optional, default is DEFAULT
+          # Exclusions and skips are now configured in pyproject.toml for centralized management
           # path to a .bandit file that supplies command line arguments
-          # ini_path: # optional, default is DEFAULT
+          ini_path: pyproject.toml # Use pyproject.toml configuration for centralized security settings
diff --git a/Makefile b/Makefile
@@ -72,7 +72,7 @@ lint: ## Run all linters
 .PHONY: security
 security: ## Run security scan with Bandit
 	@echo "${BLUE}Running security scan...${NC}"
-	$(PYTHON) bandit -r archipy/ -s B101,B301,B403 -x features,docs,scripts -f json -o bandit-report.json || true
+	$(PYTHON) bandit -c pyproject.toml -r archipy/ -f json -o bandit-report.json || true
 
 .PHONY: behave
 behave: ## Run tests with behave
diff --git a/pyproject.toml b/pyproject.toml
@@ -335,3 +335,19 @@ pyproject_root_var = "pyproject"
 [tool.codespell]
 ignore-words-list = "exat,convertor"
 skip = ".git,__pycache__,build,dist"
+
+[tool.bandit]
+# Bandit configuration for security scanning
+# https://bandit.readthedocs.io/en/latest/config.html
+
+# Target directories to scan
+targets = ["archipy"]
+
+# Exclude directories from scanning
+exclude_dirs = ["features", "docs", "scripts"]
+
+# Skip specific test IDs
+# B101: assert_used - Allow assert statements in tests
+# B301: pickle - Allow pickle usage (needed for some serialization)
+# B403: import_pickle - Allow pickle imports
+skips = ["B101", "B301", "B403"]
