From 30583805cdae41104e53320b948435c49d38fdd2 Mon Sep 17 00:00:00 2001 From: counterweight Date: Sun, 21 Dec 2025 21:56:46 +0100 Subject: [PATCH] Add bandit for Python security linting - Add bandit as dev dependency - Configure in pyproject.toml (exclude venv/tests) - Skip B101 (assert) and B311 (random for non-crypto) - Add Makefile target: security-backend --- Makefile | 5 ++++- backend/pyproject.toml | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b6fb1cb..a440b5d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: install-backend install-frontend install setup-hooks backend frontend db db-stop db-ready db-seed dev test test-backend test-frontend test-e2e typecheck generate-types generate-types-standalone check-types-fresh check-constants lint-backend format-backend fix-backend +.PHONY: install-backend install-frontend install setup-hooks backend frontend db db-stop db-ready db-seed dev test test-backend test-frontend test-e2e typecheck generate-types generate-types-standalone check-types-fresh check-constants lint-backend format-backend fix-backend security-backend -include .env export @@ -102,3 +102,6 @@ format-backend: fix-backend: cd backend && uv run ruff check --fix . && uv run ruff format . + +security-backend: + cd backend && uv run bandit -r . -c pyproject.toml diff --git a/backend/pyproject.toml b/backend/pyproject.toml index bc09aae..c449ea3 100644 --- a/backend/pyproject.toml +++ b/backend/pyproject.toml @@ -22,6 +22,7 @@ dev = [ "mypy>=1.13.0", "ruff>=0.14.10", "pytest-cov>=7.0.0", + "bandit>=1.9.2", ] [tool.mypy] @@ -68,3 +69,10 @@ exclude_lines = [ ] show_missing = true +[tool.bandit] +exclude_dirs = ["tests", ".venv"] +skips = [ + "B101", # assert warnings (used in tests) + "B311", # random for non-security purposes (invite codes) +] +