Add bandit to pre-commit to detect common security issues

apache · Nov 5, 2023 · 267e140 · 267e140
1 parent aba8e4a
commit 267e140
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 74 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -979,6 +979,15 @@ repos:
         files: ^airflow/providers/.*/provider\.yaml|^docs/.*
         additional_dependencies: ['rich>=12.4.4', 'pyyaml', 'jinja2']
         require_serial: true
+      - id: bandit
+        name: bandit
+        description: "Bandit is a tool for finding common security issues in Python code"
+        entry: bandit
+        language: python
+        language_version: python3
+        types: [ python ]
+        require_serial: true
+        files: ^airflow/*
         ## ADD MOST PRE-COMMITS ABOVE THAT LINE
         # The below pre-commits are those requiring CI image to be built
       - id: mypy-dev

diff --git a/STATIC_CODE_CHECKS.rst b/STATIC_CODE_CHECKS.rst
@@ -140,6 +140,8 @@ require Breeze Docker image to be built locally.
 +-----------------------------------------------------------+--------------------------------------------------------------+---------+
 | ID                                                        | Description                                                  | Image   |
 +===========================================================+==============================================================+=========+
+| bandit                                                    | bandit                                                       |         |
++-----------------------------------------------------------+--------------------------------------------------------------+---------+
 | blacken-docs                                              | Run black on Python code blocks in documentation files       |         |
 +-----------------------------------------------------------+--------------------------------------------------------------+---------+
 | check-aiobotocore-optional                                | Check if aiobotocore is an optional dependency only          |         |

diff --git a/dev/breeze/src/airflow_breeze/pre_commit_ids.py b/dev/breeze/src/airflow_breeze/pre_commit_ids.py
@@ -24,6 +24,7 @@
 
 PRE_COMMIT_LIST = [
     "all",
+    "bandit",
     "blacken-docs",
     "check-aiobotocore-optional",
     "check-airflow-k8s-not-used",

diff --git a/images/breeze/output-commands-hash.txt b/images/breeze/output-commands-hash.txt
@@ -65,7 +65,7 @@ setup:version:be116d90a21c2afe01087f7609774e1e
 setup:65c45fd922535977e640faa9b93042f0
 shell:8e661773a5ee64e7b084df0883801c01
 start-airflow:4d8a8639bb9b7bb7441f878458a34801
-static-checks:06290ff4d6f24bbda96421385ba29ca2
+static-checks:36b2701d702bdd4835a9a8022b5a8c4b
 testing:db-tests:c45075080add9d991477e7f0779c9759
 testing:docker-compose-tests:fd154a058082fcfda12eb877a9a89338
 testing:helm-tests:98a9ba6631249762b1633b76a29f4461