It is possible to incorporate bandit results in the TICS output
for files. bandit is a Security checker for Python.
For a successful bandit integration, the following prerequisites
must be met:
bandit and its requirements should be available.
By default, TICS attempts to find bandit on the PATH.
Alternatively, a specific Python interpreter and/or a specific bandit instance
can be used.
The configuration for bandit can be added to either the SERVER.yaml to apply them for all
projects, or in PROJECTS.yaml to
enable project-specific settings. If the properties are declared in the SERVER
file and also in the PROJECT file, the project-specific properties will
override the global properties.
The following properties can (optionally) be declared, either on SERVER or PROJECT level:
TOOLS:
bandit:
INTERPRETER: '/path/to/python'
INSTALLDIR: '/path/to/directory'
The INTERPRETER property can be used to specify the path to a
Python interpreter, such as /usr/bin/python. If this property is
not set, the default Python interpreter will be used.
Note that the Python interpreter has an effect on the violations that are produced by bandit. It is recommended to use the interpreter in which the project is supposed to run.
As an alternative to specifying a Python interpreter, an installation directory
can be set through the INSTALLDIR property.
This installation directory can either be a full Python installation containing
bandit, or a virtual environment with access to bandit.
The installation directory can be specified either as an absolute path (e.g.,
/usr/local/python), or as a relative path from the
chk directory (e.g., bandit).