Test for high-severity vulnerabilities with bandit

Use the bandit analyzer to check non-test-related Python source code
for potential vulnerabilities. To start, only error on matches with
severity "high" (we can ratchet it down later as lower-severity
items are addressed).

diff --git a/tox.ini b/tox.ini
index 7a73d73..0888046 100644 (file)
--- a/tox.ini
+++ b/tox.ini
@@ -4,7 +4,7 @@
 
 [tox]
 minversion = 3.1
-envlist = dist, docs, flake8, yamllint, selftest_config, py3
+envlist = bandit, dist, docs, flake8, yamllint, selftest_config, py3
 skipsdist = True
 ignore_basepython_conflict = True
 
@@ -16,6 +16,10 @@ setenv =
     PYTHONWARNINGS=default::DeprecationWarning
 commands = mudpy_selftest mudpy/tests/fixtures/test_daemon.yaml
 
+[testenv:bandit]
+deps = bandit
+commands = bandit -lll -r mudpy -x mudpy/tests {posargs}
+
 [testenv:demo]
 commands = mudpy {posargs}