Configuring Bandit

It is possible to incorporate bandit results in the TICS output for files. bandit is a Security checker for Python.

Prerequisites

For a successful bandit integration, the following prerequisites must be met:

Basic configuration

By default, TICS attempts to find bandit on the PATH. Alternatively, a specific Python interpreter and/or a specific bandit instance can be used.

The configuration for bandit can be added to either the SERVER.yaml to apply them for all projects, or in PROJECTS.yaml to enable project-specific settings. If the properties are declared in the SERVER file and also in the PROJECT file, the project-specific properties will override the global properties.

Syntax

The following properties can (optionally) be declared, either on SERVER or PROJECT level:

TOOLS:
  bandit:
    INTERPRETER: '/path/to/python'
    INSTALLDIR: '/path/to/directory'

Specifying a Python interpreter

The INTERPRETER property can be used to specify the path to a Python interpreter, such as /usr/bin/python. If this property is not set, the default Python interpreter will be used.

Note that the Python interpreter has an effect on the violations that are produced by bandit. It is recommended to use the interpreter in which the project is supposed to run.

Specifying an installation dir

As an alternative to specifying a Python interpreter, an installation directory can be set through the INSTALLDIR property. This installation directory can either be a full Python installation containing bandit, or a virtual environment with access to bandit.

The installation directory can be specified either as an absolute path (e.g., /usr/local/python), or as a relative path from the chk directory (e.g., bandit).