How can I make bandit skip B101 within tests?

Question

I'm using bandit to check my code for potential security issues:

bandit -r git-repository/

However, the most common item found by bandit is B101. It is triggered by assert statements within tests. I use pytest, so this is not a concern, but a good practice. I've now created a .bandit file with

[bandit]
skips: B101

But that also skips a lot of other code. Is there a solution to this issue?

Answer 1

A possible solution is to tell bandit to skip tests altogether. Assuming your code lives in a src subfolder, run

bandit --configfile bandit.yaml --recursive src

with the following bandit.yaml in the project's root directory

# Do not check paths including `/tests/`:
# they use `assert`, leading to B101 false positives.
exclude_dirs:
    - '/tests/'

There is a bunch of related issues and pull requests.

Update: I like Diego's solution better.

Answer 2

Based on this comment,

when using --recursive the whole path is fnmatched against the glob_list, therefore an --exclude_dir expression test_*.py doesn't matches and excludes (py)test files in subdirectories, for that */test_*.py is needed.

The following configuration should solve your problem:

assert_used:
  skips: ["*/test_*.py", "*/test_*.py"]