chore: Remove bandit pre-commit hook, add "S" ruff linter code for bandit (#312)

nicholasjng · web-flow · commit b00c33e387b4 · 2025-01-09T23:03:01.000+01:00
Disabled for the tests and tutorials, as previously configured for bandit
in pyproject.toml.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,24 +10,18 @@ repos:
       - id: end-of-file-fixer
       - id: mixed-line-ending
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.13.0
+    rev: v1.14.1
     hooks:
       # See https://github.com/pre-commit/mirrors-mypy/blob/main/.pre-commit-hooks.yaml
       - id: mypy
         types_or: [python, pyi]
         args: [--ignore-missing-imports, --scripts-are-modules]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.7.1
+    rev: v0.8.6
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
       - id: ruff-format
-  - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.10
-    hooks:
-      - id: bandit
-        args: [-c, pyproject.toml]
-        additional_dependencies: ["bandit[toml]"]
 #   Disabled due to incompatibility with our exception translator facility.
 #   See https://github.com/jsh9/pydoclint/issues/174
 #   TODO(nicholasjng): Re-enable once fixed or an ignore facility is available.
diff --git a/pyproject.toml b/pyproject.toml
@@ -114,9 +114,9 @@ line-length = 100
 target-version = "py310"
 
 [tool.ruff.lint]
-# Enable pycodestyle errors & warnings (`E`, `W`), Pyflakes (`F`), isort (`I`),
-#  and pyupgrade (`UP`) by default.
-select = ["E", "F", "I", "W", "UP"]
+# Enable pycodestyle errors & warnings (`E`, `W`), bandit (`S`), Pyflakes (`F`),
+# isort (`I`), and pyupgrade (`UP`) by default.
+select = ["E", "F", "I", "S", "W", "UP"]
 ignore = [
     # Line too long
     "E501",
@@ -129,10 +129,10 @@ ignore = [
 "__init__.py" = ["F401"]
 "docs/tutorials/*.py" = [
     "E402",
+    "S",
 ] # Imports may appear anywhere in Jupytext notebooks
+"tests/**/*.py" = ["S"]  # Tests are not security-critical.
 
-[tool.bandit]
-exclude_dirs = ["tests", "docs/tutorials"]
 
 [tool.pytest.ini_options]
 log_cli = true
diff --git a/src/lakefs_spec/transaction.py b/src/lakefs_spec/transaction.py
@@ -108,7 +108,7 @@ def __call__(
         self.delete = delete
         self.squash = squash
 
-        ephem_name = branch_name or "transaction-" + "".join(random.choices(string.digits, k=6))  # nosec: B311
+        ephem_name = branch_name or "transaction-" + "".join(random.choices(string.digits, k=6))  # noqa: S311
         self._ephemeral_branch = Branch(self.repository, ephem_name, client=self.fs.client)
         return self
 
