.bandit ignored for single files

[grizz]

When doing a single file, bandit doesn't use the .bandit file in the directory. If it's agreed that it should work like this, I'm happy to do a PR to fix it.

With a config file tests/.bandit, running

bandit -r tests/

has different results than

bandit -r tests/test_cli.py

Expected behavior
I would expect bandit to search each directory to root for a .bandit file and apply the first found to the test run.

Bandit version

bandit 1.4.0

[amacfie]

Bandit only looks for config files if the target is a directory. The relevant code is in
bandit.cli.main._get_options_from_ini.

[n-batalha]

@amacfie a use case (for me) is as follows, say I want bandit to ignore use of asserts in the tests folder. I configured .bandit to ignore that folder but this is ignored in editors like VSCode where it seems to run bandit for individual files when they are being edited. So I cannot rely on .bandit but everyone needs to configure their IDE to manually exclude the tests folder via -x tests. More configs would have to be duplicated.

I assumed this was a bug as the expected behaviour is to follow the config? IIRC other linters follow the config. Is there a use case to run bandit on files excluded on the config?

[TheTechRobo]

This is actually really bad for CodeFactor, because I don't think it runs Bandit on a directory. So I'm getting F's for my repository, because of 99 errors regarding usage of input() in a Python 3 program. The config file does not undo those errors because of this issue. I feel like it should always look for a config file, unless there is a very good reason not to. Thoughts?

[diegovalenzuelaiturra]

Hi, the following may be helpful to configure bandit, for example, to avoid raising B101 assert_used warnings on python tests.

• Document how to use Bandit #603 (comment)

There are also some suggestion for how to configure VSCode to properly use .bandit and bandit.yml configuration files.