Merge "Incorporate bandit support in CI"

lower-constraints.txt

@@ -5,6 +5,7 @@ appdirs==1.4.3
 asn1crypto==0.24.0
 automaton==1.9.0
 Babel==2.3.4
+bandit==1.1.0
 bashate==0.5.1
 beautifulsoup4==4.6.0
 blockdiag==1.5.3

test-requirements.txt

@@ -19,3 +19,4 @@ WebTest>=2.0.27 # MIT
 bashate>=0.5.1 # Apache-2.0
 flake8-import-order>=0.13 # LGPLv3
 Pygments>=2.2.0 # BSD
+bandit!=1.6.0,>=1.1.0,<2.0.0 # Apache-2.0

tox.ini

@@ -145,3 +145,8 @@ deps =
   -c{toxinidir}/lower-constraints.txt
   -r{toxinidir}/test-requirements.txt
   -r{toxinidir}/requirements.txt
+
+[testenv:bandit]
+basepython = python3
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r ironic -x tests -n5 -ll

zuul.d/ironic-jobs.yaml

@@ -494,3 +494,25 @@
         IRONIC_IPXE_ENABLED: False
         IRONIC_BOOT_MODE: uefi
         IRONIC_AUTOMATED_CLEAN_ENABLED: False
+
+- job:
+    # Security testing for known issues
+    name: ironic-tox-bandit
+    parent: openstack-tox
+    timeout: 2400
+    vars:
+      tox_envlist: bandit
+    required-projects:
+      - openstack/ironic
+    irrelevant-files:
+      - ^.*\.rst$
+      - ^api-ref/.*$
+      - ^doc/.*$
+      - ^driver-requirements.txt$
+      - ^install-guide/.*$
+      - ^ironic/locale/.*$
+      - ^ironic/tests/.*$
+      - ^releasenotes/.*$
+      - ^setup.cfg$
+      - ^tools/.*$
+      - ^tox.ini$

zuul.d/project.yaml

@@ -27,6 +27,8 @@
         - ironic-tempest-bfv
         - ironic-tempest-ipa-partition-uefi-pxe-grub2
         # Non-voting jobs
+        - ironic-tox-bandit:
+            voting: false
         - ironic-tempest-ipa-wholedisk-bios-pxe_snmp-tinyipa:
             voting: false
         - ironic-inspector-tempest: