# Bandit Configuration File
# Production-ready configuration for Python security scanning

# Directories to exclude from scanning
exclude_dirs:
  # Python environments
  - /venv/
  - /.venv/
  - /env/
  - /.env/
  - /virtualenv/
  - /.virtualenv/
  - /site-packages/
  - /dist-packages/

  # Testing and build artifacts
  - /tests/
  - /test/
  - /.pytest_cache/
  - /.tox/
  - /build/
  - /dist/
  - /.eggs/
  - /*.egg-info/

  # Version control and IDE
  - /.git/
  - /.svn/
  - /.hg/
  - /.idea/
  - /.vscode/
  - /__pycache__/

  # Node modules and other language dependencies
  - /node_modules/
  - /vendor/

  # Documentation and examples
  - /docs/
  - /examples/

# Tests to skip (use sparingly and document reasons)
skips:
  # B101: Test for use of assert
  # Commonly safe in test files and development code
  # Consider keeping this enabled for production code
  # - B101

  # B311: Standard pseudo-random generators
  # Only skip if using for non-security purposes (e.g., data generation)
  # NEVER skip for security tokens, session IDs, or cryptographic operations
  # - B311

  # B404-B412: Import checks
  # Skip only if you've reviewed and whitelisted specific imports
  # - B404  # subprocess import
  # - B405  # xml.etree.cElementTree import
  # - B406  # xml.etree.ElementTree import
  # - B407  # xml.expat import
  # - B408  # xml.dom.minidom import
  # - B409  # xml.dom.pulldom import
  # - B410  # lxml import
  # - B411  # xml.sax import
  # - B412  # httpoxy

# Specific tests to run (comment out to run all tests)
# Use this to focus on specific security checks
# tests:
#   - B201  # Flask app run with debug=True
#   - B301  # Pickle usage
#   - B302  # Use of insecure MD2, MD4, MD5, or SHA1 hash
#   - B303  # Use of insecure MD2, MD4, MD5, or SHA1 hash
#   - B304  # Use of insecure cipher mode
#   - B305  # Use of insecure cipher mode
#   - B306  # Use of mktemp
#   - B307  # Use of eval
#   - B308  # Use of mark_safe
#   - B310  # Audit URL open for permitted schemes
#   - B311  # Standard pseudo-random generators
#   - B313  # XML bad element tree
#   - B314  # XML bad element tree (lxml)
#   - B315  # XML bad element tree (expat)
#   - B316  # XML bad element tree (sax)
#   - B317  # XML bad element tree (expatreader)
#   - B318  # XML bad element tree (expatbuilder)
#   - B319  # XML bad element tree (xmlrpc)
#   - B320  # XML bad element tree (pulldom)
#   - B321  # FTP-related functions
#   - B323  # Unverified context
#   - B324  # Use of insecure hash functions
#   - B601  # Paramiko call with shell=True
#   - B602  # subprocess call with shell=True
#   - B603  # subprocess without shell equals true
#   - B604  # Function call with shell=True
#   - B605  # Starting a process with a shell
#   - B606  # Starting a process without shell
#   - B607  # Starting a process with a partial path
#   - B608  # Possible SQL injection
#   - B609  # Use of wildcard injection
#   - B610  # SQL injection via Django raw SQL
#   - B611  # SQL injection via Django extra
#   - B701  # jinja2 autoescape false
#   - B702  # Test for use of mako templates
#   - B703  # Django autoescape false

# Plugin configuration
# Customize individual plugin behaviors

# Shell injection plugin configuration
shell_injection:
  # Additional commands to check for shell injection
  # Default: ['os.system', 'subprocess.call', 'subprocess.Popen']
  no_shell:
    - os.system
    - subprocess.call
    - subprocess.Popen
    - subprocess.run

# Hard-coded password plugin configuration
hardcoded_tmp_directory:
  # Directories considered safe for temporary files
  # tmp_dirs:
  #   - /tmp
  #   - /var/tmp

# Output configuration (for reference - set via CLI)
# These are applied at runtime, not in config file
# output_format: json
# output_file: bandit-report.json
# verbose: true
# level: LOW    # Report severity: LOW, MEDIUM, HIGH
# confidence: LOW  # Report confidence: LOW, MEDIUM, HIGH

# Severity and confidence thresholds
# LOW: Report all issues (default)
# MEDIUM: Report MEDIUM and HIGH severity issues only
# HIGH: Report only HIGH severity issues

# Example usage commands:
#
# Basic scan:
#   bandit -r . -c .bandit.yaml
#
# Scan with MEDIUM and HIGH severity only:
#   bandit -r . -c .bandit.yaml -ll
#
# Scan with HIGH confidence only:
#   bandit -r . -c .bandit.yaml -i
#
# Generate JSON report:
#   bandit -r . -c .bandit.yaml -f json -o bandit-report.json
#
# Scan with enhanced analyzer script:
#   python scripts/bandit_analyzer.py . --config .bandit.yaml --html report.html

# Progressive security hardening approach:
#
# Phase 1 - Baseline scan (all findings):
#   bandit -r . -c .bandit.yaml
#
# Phase 2 - Block CRITICAL (HIGH severity + HIGH confidence):
#   bandit -r . -c .bandit.yaml -ll -i
#
# Phase 3 - Block HIGH severity:
#   bandit -r . -c .bandit.yaml -ll
#
# Phase 4 - Block MEDIUM and above:
#   bandit -r . -c .bandit.yaml -l
#
# Phase 5 - Report all findings:
#   bandit -r . -c .bandit.yaml

# Integration with CI/CD:
#
# GitHub Actions:
#   - name: Run Bandit
#     run: |
#       pip install bandit
#       bandit -r . -c .bandit.yaml -ll -f json -o bandit-report.json
#       bandit -r . -c .bandit.yaml -ll || exit 1
#
# GitLab CI:
#   bandit:
#     image: python:3.11
#     script:
#       - pip install bandit
#       - bandit -r . -c .bandit.yaml -ll
#     allow_failure: false
#
# Jenkins:
#   stage('Security Scan') {
#     steps {
#       sh 'pip install bandit'
#       sh 'bandit -r . -c .bandit.yaml -ll -f json -o bandit-report.json'
#     }
#   }

# False positive handling:
#
# Inline suppression (use sparingly and document):
#   import pickle  # nosec B403 - Internal use only, not exposed to user input
#
# Line-specific suppression:
#   result = eval(safe_expression)  # nosec B307
#
# Block suppression:
#   # nosec
#   import xml.etree.ElementTree as ET
#
# NOTE: Always document WHY you're suppressing a finding
# Security team should review all nosec comments during code review