[openstack-dev] [Security][Bandit] Bandit gate usage

Kelsey, Timothy John tim.kelsey at hp.com
Fri Jul 3 16:17:25 UTC 2015

On 03/07/2015 09:39, "Gorka Eguileor" <geguileo at redhat.com> wrote:

>On Thu, Jul 02, 2015 at 07:09:41PM +0000, Kelsey, Timothy John wrote:
>> Hello Stackers,
>> A few intrepid projects have started adopting Bandit, an automatic
>>security linter built by the security project, into their gate tests.
>>This is very rewarding to see for those of us who have worked on the
>>project and people with an interest in securing the OpenStack codebase.
>>The list of (known) adopters so far:
>> - Keystone
>> - Keystone-client
>> - Barbican
>> - Anchor
>> - Sahara
>> - Magnum
>> If you know of, or are involved in a project that¹s using Bandit and
>>isn¹t on our list then please let us know, it would be great to hear
>>your feedback. If you would like to begin using it then check out our
>>wiki for instructions here [1].  If you have no idea what this Bandit
>>thing is then perhaps this presentation from the Vancouver summit might
>>be interesting to you [2]. A Bandit gate job can be configured either as
>>an experimental or none-voting job, so if your interested in trying it
>>out you can give it a go and decide if its a good fit for your project
>>before fully committing.
>At Cinder we are adding [1] basic bandit configuration for high and
>medium severity results as a tox option, but not running it by default
>for now.

Thanks for letting us know Gorka, I¹m pleased bandit is on the Cinder
radar. I hope it¹s working out for you, please reach out if you have any
suggestions or concerns with the tool.

>[1]: https://review.openstack.org/#/c/179568/
>> Bandit is regularly discussed in the Security Project IRC meetings and
>>feedback is very welcome. If you have questions or suggestions then feel
>>free to drop in or reply here.
>> [1] https://wiki.openstack.org/wiki/Security/Projects/Bandit
>> [2] https://www.youtube.com/watch?v=hxbbpdUdU_k
>> Many thanks
>> --
>> Tim Kelsey
>> OpenStack Security member
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: 
>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe


More information about the OpenStack-dev mailing list