question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bandit can't read config file when run in pre-commit

See original GitHub issue

Describe the bug

When running bandit as a pre-commit hooks on pre-commit.ci or locally I am getting an error that says the Bandit hook can’t read the pyproject.toml file. I’ve also tried this with other bandit config file approaches (bandit.yaml) and received the same error message.

Specifically, I’m getting an error message that says: [main] ERROR pyproject.toml : Could not read config file.

However, when I run bandit from the command line it appears to work (e.g. bandit . -r -c pyproject.toml).

Also note that I’ll cross-post this on the pre-commit repository so they are aware too.

Reproduction steps

1. Install pre-commmit using .pre-commit-config.yaml file pasted below
2. Add pyproject.toml section that looks like 
[tool.bandit]
exclude_dirs = ["*/tests/*"]
3. Commit a changed Python file so the pre-commit hooks run on it

Settings in .pre-commit-config.yaml:

repos:

- repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v4.1.0
  hooks:
  - id: check-added-large-files
    args: ['--maxkb=1000']
  - id: check-ast
  - id: check-case-conflict
  - id: check-merge-conflict
  - id: check-symlinks
  - id: check-yaml
  - id: check-toml
  - id: debug-statements
  - id: end-of-file-fixer
  - id: fix-encoding-pragma
  - id: requirements-txt-fixer
  - id: trailing-whitespace
  - id: check-docstring-first
  - id: name-tests-test
    args: ['--django']
  - id: no-commit-to-branch

- repo: https://github.com/pycqa/isort
  rev: 5.10.1
  hooks:
    - id: isort
      name: isort

- repo: https://github.com/psf/black
  rev: 22.3.0
  hooks:
  - id: black
    language_version: python3

- repo: https://github.com/pycqa/flake8
  rev: 4.0.1
  hooks:
  - id: flake8
    exclude: docs/source/conf.py, __pycache__
    additional_dependencies: [flake8-bugbear, flake8-builtins, flake8-quotes, flake8-comprehensions, pandas-vet, flake8-print, pep8-naming, doc8]

- repo: https://github.com/pycqa/pydocstyle
  rev: 6.1.1
  hooks:
  - id: pydocstyle
    additional_dependencies: ["toml"]

- repo: https://github.com/nbQA-dev/nbQA
  rev: 1.3.1
  hooks:
  - id: nbqa-isort
    args: [--nbqa-mutate, --nbqa-dont-skip-bad-cells]
    additional_dependencies: [isort==5.6.4]
  - id: nbqa-black
    args: [--nbqa-mutate, --nbqa-dont-skip-bad-cells]
    additional_dependencies: [black==20.8b1]
  - id: nbqa-flake8
    args: [--nbqa-dont-skip-bad-cells, "--extend-ignore=E402,E203"]
    additional_dependencies: [flake8==3.8.3]

- repo:  https://github.com/PyCQA/bandit
  rev: 1.7.4
  hooks:
  - id: bandit
    args: ["-c pyproject.toml"]

- repo: https://github.com/PyCQA/doc8
  rev: 0.11.2
  hooks:
    - id: doc8
      args: ["--max-line-length=88", "--config=pyproject.toml", "docs"]
      additional_dependencies: ["tomli"]

Expected behavior

Bandit should be able to find its configuration files within a pre-commit environment.

Ideally you would not need to tell Bandit where to look for the config file. Instead Bandit would just look in areas (from preferred files down to less preferred ones) like many linters do.

Bandit version

1.7.4 (Default)

Python version

3.9

Additional context

No response

Issue Analytics

  • State:open
  • Created a year ago
  • Reactions:4
  • Comments:7 (1 by maintainers)

github_iconTop GitHub Comments

17reactions
matroscoecommented, May 20, 2022

@RNKuhns Sorted it! Make this your entry to .pre-commit-config.yaml

  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.4
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml"]
        additional_dependencies: [ "bandit[toml]" ]
1reaction
RNKuhnscommented, May 20, 2022

@matroscoe I confirmed this works. Maybe the bandit docs could be updated with the information?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Supported hooks - pre-commit
Exits when it hits the first errored file; php-unit - Run the full php unit test. Checks which PHPUnit executable is available first...
Read more >
Bandit Issue with Pyproject.toml - python - Stack Overflow
But if I just run bandit, it doesn't exclude the directory even though I have it in the pyproject.toml . My bandit version...
Read more >
Automate Python Bandit scans with pre-commit - Calmcode
In this file we've configured the pre-commit file to run recursively on the clumper folder and to ignore any errors with code "B101"...
Read more >
Bandit Documentation - Read the Docs
Then run pre-commit install and you're ready to go. ... A bandit configuration file may choose the specific test plugins to run and...
Read more >
Why You Need To Stop Using Git-Hooks
Running pre -commit run --all-files will run all hooks against current changes ... Run;. mkdir -p ~/.git-template; git config --global init.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found