Difference between revisions of "Security/Projects/Bandit"
(→Overview) |
m (→Overview) |
||
| Line 6: | Line 6: | ||
Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities. | Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities. | ||
| − | Bandit can be obtained by cloning the repository at https://git.openstack.org/stackforge/bandit.git. The README.md file contains documentation regarding installation, usage, and configuration. | + | Bandit can be obtained by cloning the repository at https://git.openstack.org/stackforge/bandit.git. The [https://github.com/stackforge/bandit/blob/master/README.md README.md] file contains documentation regarding installation, usage, and configuration. |
==Contributing== | ==Contributing== | ||
Revision as of 18:18, 21 November 2014
Contents
Overview
Bandit provides a framework for performing security analysis of Python source code, utilizing the ast module from the Python standard library.
The ast module is used to convert source code into a parsed tree of Python syntax nodes. Bandit allows users to define custom tests that are performed against those nodes. At the completion of testing, a report is generated that lists security issues identified within the target source code.
Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities.
Bandit can be obtained by cloning the repository at https://git.openstack.org/stackforge/bandit.git. The README.md file contains documentation regarding installation, usage, and configuration.
Contributing
Bandit makes use of the OpenStack CI infrastructure provided through StackForge:
- https://github.com/stackforge/bandit
- http://git.openstack.org/cgit/stackforge/bandit/
- https://review.openstack.org/#/q/status:open+project:stackforge/bandit,n,z
An easy way to contribute is to write a plugin/test that will allow Bandit to identify more security issues. Extensions and improvements to the underlying framework are also welcomed, although we'll be attempting to maintain stability in the interface that is presented to plugins.
See the links above for Bandit-specific information, and Gerrit Workflow for information on the general contribution/review workflow.
TODO
Further development of Bandit framework:
- Fix bug with recognizing strings in docstrings
- TBD
Development of plugins/tests:
- TBD
- TBD
Team
Bandit is a project from the OpenStack Security Group.
Core project team:
- Jamie Finnigan (chair6)
- Travis McPeak (tmcpeak)
- Nathan Kinder (nkinder)
- Tim Kelsey (tkelsey)
