ci: add bandit to pre-commit hooks to check for common security issues

[jenstroeger]

As mentioned in issue #5 I added the bandit tool as a pre-commit hook.

I do have a few concerns though:

• There are currently 146 open issues and 48 open pull requests, and progress seems sluggish.
• pyproject.toml configuration isn’t currently supported (issue Error parsing pyproject.tml PyCQA/bandit#733) but seems to have been committed to mainstream (commit PyCQA/bandit@44f5c41) but I couldn’t make that work.
• Our unit tests make explicit use of the assert statement which is flagged by bandit as issue B101, and it’s not possible to disable that for tests only (issue Skip configuration for certain paths only PyCQA/bandit#457); so I’ve disabled it globally through the command-line (because the pyproject.toml isn’t working).

So, while I think that bandit can be useful, in its current state it’s a bit limited and inflexible for CI.

[brad-getpassport]

My suggestion would be to make it usable for running locally but not integrated as part of a github action. This allows us to parse the issues and give feedback to bandit. Hopefully over time it these bandit issues will get fixed.

[jenstroeger]

We could add bandit to the development dependencies

python-package-template/setup.py

Lines 61 to 73 in 7292ee9

	"dev": [
	"flake8==4.0.1",
	"flake8-builtins==1.5.3",
	"flake8-docstrings==1.6.0",
	"flake8-rst-docstrings==0.2.3",
	"hypothesis==6.30.1",
	"mypy==0.910",
	"pep8-naming==0.12.1",
	"pre-commit==2.16.0",
	"pylint==2.12.2",
	"tox==3.24.4",
	"types-setuptools==57.4.2",
	],

Then it’ll be installed, and users can use it if they want… or not.

[travisjungroth]

@jenstroeger Saw this issue mentioned somewhere, and thought you might be interested in how to get the toml config working. PyCQA/bandit#902 (comment)