From a5b8f6c1bf36ed95824365c188fffa34b61519f6 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sat, 27 Apr 2019 16:14:45 +0000
Subject: [PATCH] Test for high-severity vulnerabilities with bandit

Use the bandit analyzer to check non-test-related Python source code
for potential vulnerabilities. To start, only error on matches with
severity "high" (we can ratchet it down later as lower-severity
items are addressed).
---
 tox.ini | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index 7a73d73..0888046 100644
--- a/tox.ini
+++ b/tox.ini
@@ -4,7 +4,7 @@
 
 [tox]
 minversion = 3.1
-envlist = dist, docs, flake8, yamllint, selftest_config, py3
+envlist = bandit, dist, docs, flake8, yamllint, selftest_config, py3
 skipsdist = True
 ignore_basepython_conflict = True
 
@@ -16,6 +16,10 @@ setenv =
     PYTHONWARNINGS=default::DeprecationWarning
 commands = mudpy_selftest mudpy/tests/fixtures/test_daemon.yaml
 
+[testenv:bandit]
+deps = bandit
+commands = bandit -lll -r mudpy -x mudpy/tests {posargs}
+
 [testenv:demo]
 commands = mudpy {posargs}
 
-- 
2.11.0