432dbd4d83
- Fix 20 ruff errors: UP035 (Callable import), UP042 (StrEnum), E501 (line length), F401 (unused imports), UP045 (Optional -> X | None), I001 (import sorting) - Fix mypy error: wrap slowapi rate limit handler with Exception-compatible signature for add_exception_handler - Pin pip >= 25.3 in Dockerfile (CVE-2025-8869, CVE-2026-1703) - Add nosec B104 to config.py (container-bound 0.0.0.0 is acceptable) - Add nosec B101 to telemetry.py (assert for type narrowing) - Create bandit.yaml to suppress B404/B607/B603 in gates/ tooling Fixes #365 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
24 lines
942 B
YAML
24 lines
942 B
YAML
# Bandit security linting configuration for mosaic-coordinator
|
|
#
|
|
# Suppressions documented below. All are intentional and reviewed.
|
|
#
|
|
# B104 (bind to 0.0.0.0): Inline nosec in src/config.py.
|
|
# Container-bound service — must listen on all interfaces inside Docker.
|
|
#
|
|
# B101 (assert usage): Inline nosec in src/telemetry.py.
|
|
# Assert used for type narrowing after None guard (satisfies mypy).
|
|
#
|
|
# B404, B607, B603 (subprocess usage): Skipped globally.
|
|
# Only triggered in src/gates/ quality gate tooling, which intentionally
|
|
# invokes external tools (pytest, ruff, mypy) via subprocess as its
|
|
# core functionality. No other source files use subprocess.
|
|
|
|
skips:
|
|
- B404 # import subprocess — only in gates/ (intentional)
|
|
- B607 # start process with partial path — only in gates/ (intentional)
|
|
- B603 # subprocess call without shell=True — only in gates/ (intentional)
|
|
|
|
exclude_dirs:
|
|
- tests
|
|
- venv
|