[openstack-dev] [Security][Bandit] Bandit gate usage

Gorka Eguileor geguileo at redhat.com
Fri Jul 3 08:39:33 UTC 2015

On Thu, Jul 02, 2015 at 07:09:41PM +0000, Kelsey, Timothy John wrote:
> Hello Stackers,
> A few intrepid projects have started adopting Bandit, an automatic security linter built by the security project, into their gate tests. This is very rewarding to see for those of us who have worked on the project and people with an interest in securing the OpenStack codebase. The list of (known) adopters so far:
> - Keystone
> - Keystone-client
> - Barbican
> - Anchor
> - Sahara
> - Magnum
> If you know of, or are involved in a project that’s using Bandit and isn’t on our list then please let us know, it would be great to hear your feedback. If you would like to begin using it then check out our wiki for instructions here [1].  If you have no idea what this Bandit thing is then perhaps this presentation from the Vancouver summit might be interesting to you [2]. A Bandit gate job can be configured either as an experimental or none-voting job, so if your interested in trying it out you can give it a go and decide if its a good fit for your project before fully committing.


At Cinder we are adding [1] basic bandit configuration for high and
medium severity results as a tox option, but not running it by default
for now.


[1]: https://review.openstack.org/#/c/179568/

> Bandit is regularly discussed in the Security Project IRC meetings and feedback is very welcome. If you have questions or suggestions then feel free to drop in or reply here.
> [1] https://wiki.openstack.org/wiki/Security/Projects/Bandit
> [2] https://www.youtube.com/watch?v=hxbbpdUdU_k
> Many thanks
> --
> Tim Kelsey
> OpenStack Security member
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list