[openstack-dev] [Security][Bandit] Bandit gate usage

Kelsey, Timothy John tim.kelsey at hp.com
Thu Jul 2 19:09:41 UTC 2015

Hello Stackers,
A few intrepid projects have started adopting Bandit, an automatic security linter built by the security project, into their gate tests. This is very rewarding to see for those of us who have worked on the project and people with an interest in securing the OpenStack codebase. The list of (known) adopters so far:

- Keystone
- Keystone-client
- Barbican
- Anchor
- Sahara
- Magnum

If you know of, or are involved in a project that’s using Bandit and isn’t on our list then please let us know, it would be great to hear your feedback. If you would like to begin using it then check out our wiki for instructions here [1].  If you have no idea what this Bandit thing is then perhaps this presentation from the Vancouver summit might be interesting to you [2]. A Bandit gate job can be configured either as an experimental or none-voting job, so if your interested in trying it out you can give it a go and decide if its a good fit for your project before fully committing.

Bandit is regularly discussed in the Security Project IRC meetings and feedback is very welcome. If you have questions or suggestions then feel free to drop in or reply here.

[1] https://wiki.openstack.org/wiki/Security/Projects/Bandit
[2] https://www.youtube.com/watch?v=hxbbpdUdU_k

Many thanks

Tim Kelsey
OpenStack Security member

More information about the OpenStack-dev mailing list