-
-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use .gitignore as basis of default excludes #826
Comments
Currently One solution might be to make use of an existing dependency, GitPython, to load a |
When using Bandit to scan projects based on Git source control, it would be benefitual to ignore files based on the patterns in the .gitignore file. Today, Bandit has some default excludes that get overridden if a user passes in other excludes. This is a bit confusing to the end user. But it also serves a purpose similar to .gitignore in that the paths excluded by default are typically included in a .gitignore. Note, it will only check for .gitignore files in top-level directories specified on the Bandit command line as targets. It does not recursive look for .gitignore files. This is done because recursive searching for .gitignore files would be complex to add to Bandit existing file discovery. This change adds a new Apache 2 licensed dependency of ignorelib. Fixes PyCQA#826 Signed-off-by: Eric Brown <[email protected]>
When using Bandit to scan projects based on Git source control, it would be benefitual to ignore files based on the patterns in the .gitignore file. Today, Bandit has some default excludes that get overridden if a user passes in other excludes. This is a bit confusing to the end user. But it also serves a purpose similar to .gitignore in that the paths excluded by default are typically included in a .gitignore. Note, it will only check for .gitignore files in top-level directories specified on the Bandit command line as targets. It does not recursive look for .gitignore files. This is done because recursive searching for .gitignore files would be complex to add to Bandit existing file discovery. This change adds a new Apache 2 licensed dependency of ignorelib. Fixes PyCQA#826 Signed-off-by: Eric Brown <[email protected]>
Is your feature request related to a problem? Please describe.
Currently, constants.py defines some standard excludes hardcoded in a file. While this hasn't generally been an issue thus far, it does get complicated if someone wishes to override those values.
Describe the solution you'd like
Rather than hardcode in Bandit source, make use of a project's defined .gitignore file instead. It's very common to only scan the source that is part of the git repo anyway.
Describe alternatives you've considered
This solution would apply only to Git source control. So if someone uses SVN, CVS, etc, it may not be of much help.
Additional context
https://git-scm.com/docs/gitignore
https://github.com/PyCQA/bandit/blob/7fbf9d517b900936ac97e7debbd16dc7e532bc27/bandit/core/constants.py
The text was updated successfully, but these errors were encountered: