Merge pull request #113 from awsntheule/bugfix/issue-101

Bugfix/issue 101

Author: scrthq

CHANGELOG.md

@@ -1,21 +1,23 @@
 # Automated Security Helper - CHANGELOG
+- [v2.0.1](#v201)
+    - [What's Changed](#whats-changed)
 - [v2.0.0](#v200)
     - [Breaking Changes](#breaking-changes)
     - [Features](#features)
     - [Fixes](#fixes)
 - [v1.5.1](#v151)
-    - [What's Changed](#whats-changed)
-- [v1.5.0](#v150)
     - [What's Changed](#whats-changed-1)
+- [v1.5.0](#v150)
+    - [What's Changed](#whats-changed-2)
     - [New Contributors](#new-contributors)
 - [v1.4.1](#v141)
-    - [What's Changed](#whats-changed-2)
-- [v1.4.0](#v140)
     - [What's Changed](#whats-changed-3)
-- [v1.3.3](#v133)
+- [v1.4.0](#v140)
     - [What's Changed](#whats-changed-4)
-- [v1.3.2](#v132)
+- [v1.3.3](#v133)
     - [What's Changed](#whats-changed-5)
+- [v1.3.2](#v132)
+    - [What's Changed](#whats-changed-6)
     - [New Contributors](#new-contributors-1)
 - [1.3.0 - 2024-04-17](#130---2024-04-17)
     - [Features](#features-1)
@@ -28,6 +30,12 @@
 - [1.0.5-e-06Mar2023](#105-e-06mar2023)
 - [1.0.1-e-10Jan2023](#101-e-10jan2023)
 
+## v2.0.1
+
+### What's Changed
+
+- Fix handling of Bandit config files in util script
+
 ## v2.0.0
 
 ### Breaking Changes

docs/content/faq.md

@@ -22,3 +22,9 @@ For additional CI pipeline support, please refer to the [Running ASH in CI](./tu
 ## How can I run `ash` with [finch](https://aws.amazon.com/blogs/opensource/introducing-finch-an-open-source-client-for-container-development/) or another OCI compatible tool?
 
 You can configure the OCI compatible tool to use with by using the environment variable `OCI_RUNNER`
+
+## Can I use a Bandit configuration file when `ash` runs?
+
+Yes, `ash` will use a bandit configuration file if it is placed at the root of your project directory. It must be named `.bandit`, `bandit.yaml`, or `bandit.toml`. Configuration files must be formatted properly according to the [Bandit documentation](https://bandit.readthedocs.io/en/latest/config.html).
+
+> Note: paths excluded in a Bandit configuration file must begin with a `/` because `ash` uses an absolute path when calling `bandit`.

pyproject.toml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 [tool.poetry]
 name = "automated-security-helper"
-version = "2.0.0"
+version = "2.0.1"
 description = ""
 authors = ["Nate Ferrell <[email protected]>", "Nathan Bates <[email protected]>"]
 license = "Apache-2.0"

utils/py-docker-execute.sh

@@ -57,7 +57,17 @@ echo "<<<<<< end identifyipynb output for Jupyter notebook conversion <<<<<<" >>
 # Run bandit on both the source and output directories
 scan_paths=("${_ASH_SOURCE_DIR}" "${_ASH_OUTPUT_DIR}/work")
 
-BANDIT_ARGS="--exclude=\"*venv/*\" --severity-level=all"
+if [ -f "${_ASH_SOURCE_DIR}/.bandit" ]; then
+  BANDIT_ARGS="--ini ${_ASH_SOURCE_DIR}/.bandit"
+elif [ -f "${_ASH_SOURCE_DIR}/bandit.yaml" ]; then
+  BANDIT_ARGS="-c ${_ASH_SOURCE_DIR}/bandit.yaml"
+elif [ -f "${_ASH_SOURCE_DIR}/bandit.toml" ]; then
+  BANDIT_ARGS="-c ${_ASH_SOURCE_DIR}/bandit.toml"
+else
+  BANDIT_ARGS="--exclude=\"*venv/*\" --severity-level=all"
+fi
+
+debug_echo "[py] BANDIT_ARGS: '${BANDIT_ARGS}'"
 debug_echo "[py] ASH_OUTPUT_FORMAT: '${ASH_OUTPUT_FORMAT:-text}'"
 if [[ "${ASH_OUTPUT_FORMAT:-text}" != "text" ]]; then
   debug_echo "[py] Output format is not 'text', setting output format options to JSON to enable easy translation into desired output format"