fix: security (bandit) detector ignores config-level excludes#620
Open
Loreweavr wants to merge 1 commit into
Open
fix: security (bandit) detector ignores config-level excludes#620Loreweavr wants to merge 1 commit into
Loreweavr wants to merge 1 commit into
Conversation
`desloppify exclude <dir>` is respected by the file-discovery detectors but not by the Python security detector: detect_python_security built bandit's --exclude from collect_exclude_dirs(scan_root), which only sees the runtime context's exclusions (empty there) plus the built-in defaults. The persisted config excludes were never threaded in, so bandit recursively re-scanned excluded directories and reported security findings from them. Load the config excludes and pass them via collect_exclude_dirs(extra_exclusions=) alongside get_exclusions(). Adds a regression test (there was no bandit exclude-flag test, which is how this slipped through). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
desloppify exclude <dir>is honoured by the file-discovery detectors (duplication, orphaned, unused, …) but not by the Python security / bandit detector — it keeps reporting findings from excluded directories (e.g. a vendored library you don't own).Minimal repro:
Root cause
detect_python_security(languages/python/_security.py) builds bandit's--excludelist fromcollect_exclude_dirs(scan_root). That usesget_exclusions(runtime=None), which resolves to a runtime context whose.exclusionsis empty here — so only the built-inDEFAULT_EXCLUSIONS(.git,node_modules, …) reach bandit. The persisted config excludes (config["exclude"], whatdesloppify excludewrites) are never threaded in, sobandit -rrecursively rescans them.The bandit adapter already supports
--excludecorrectly — the excludes simply never arrive.Fix
Load the config excludes in
detect_python_securityand pass them throughcollect_exclude_dirs(extra_exclusions=…)alongsideget_exclusions().Tests
There was no bandit exclude-flag test (only ruff ones), which is how this slipped through. Adds
TestBanditSecurityExcludeFlagtotests/detectors/test_external_adapters_exclude_flags.py. Confirmed it fails without the fix (the exclude list contains only the defaults) and passes with it. Fulllanguages/python/+detectors/security/suites: 379 passed.Environment where observed: Windows, Python 3.13, bandit 1.9.4.
🤖 Generated with Claude Code