default config file name

[davidak]

Is your feature request related to a problem? Please describe.
The doc say i should create a YAML config file, but not how to name it. https://bandit.readthedocs.io/en/latest/config.html

Describe the solution you'd like
Please recommend a sane default name, so it is consistent in any project and can be found by CI etc.

I recommend using .bandit.yml because it is hidden on Linux, UNIX and macOS and has an extension.

Describe alternatives you've considered
I don't see any alternatives. Leaving it as is leads to chaos!

Additional context
Codacy says: "You can also use custom .bandit or bandit.yml config file."
I have also seen bandit.yaml in earlier issues.

For a sane solution, i look what similar tools do.

Most .name for INI-style config or .name.yml for YAML config.

pylintrc or .pylintrc: https://pylint.readthedocs.io/en/latest/user_guide/run.html#command-line-options

.flake8

.pycodestyle or config in setup.cfg or tox.ini: http://pycodestyle.pycqa.org/en/latest/intro.html#configuration

.pydocstyle, .pydocstyle.ini, .pydocstylerc, .pydocstylerc.ini: http://www.pydocstyle.org/en/2.1.1/usage.html#configuration-files

.coveragerc

.travis.yml, .circleci, .github, .appveyor.yml

[davidak]

bandit.yaml is specified in https://github.com/PyCQA/bandit/blob/master/bandit/cli/main.py#L31 but get not loaded, also no hint in readme, doc or help output, so i supposed there is no default... is it an error that the file get not loaded or a feature?

[lukehinds]

bandit.yaml is commonly used in OpenStack, but as it stands its ultimately up to the user by means of the -c arg.

Having said that, I am not strongly opposed to using a recommended default of .bandit.yml in the docs as long as its clear its a recommended naming convention and not a direct map to bandits chosen config (otherwise folks will assume their bandit config will auto load as they used the default naming convention).

[davidak]

folks will assume their bandit config will auto load

i think such behavior was present in an earlyer version. why was that changed?

[lukehinds]

I have no recollection of there ever been a default, its always been None as far as I remember:

bandit/bandit/cli/main.py

Line 174 in 094a2d4

action='store', default=None, type=str,

[xuhcc]

There is a section in readme file which suggests using a .bandit file:

https://github.com/PyCQA/bandit/blob/master/README.rst#per-project-command-line-args

To use this, put a .bandit file in your project's directory.

This sounds like .bandit is a default name for config file.

[rooterkyberian]

I find it tremendously useful when a tool has a well known default config filename, since I can quickly see if project is using a particular tool, and what proves even more useful: search thru github repositories by filename (e.g. filename:.bandit.yaml) to see different, working configurations example.

[lukehinds]

ok, if someone can make a patch making bandit.yml the default, please go ahead.

But it's imperative we keep the -e arg present for those who have already implemented their own config naming.

[ericwb]

.bandit is for command line options. It is a INI file format, not YAML.

bandit.yml or whatever *.yml a user passes to -c is for more extensive customization of test plugins.

Please do not try to combine or change the naming. If anything, the documentation should be made more clear as evident by the comments in this issue.

[rooterkyberian]

Whats is wrong with combining the two in single yml? as you can see it is confusing for the users (myself included) and trying to fix that with additional documentation when combining the two seems to be

• simpler (1 file, with a default name, instead of 2 with some loose naming recommendations)
  • default filename makes it much simpler to search for on github as well for "most common configuration options"
• reduced amount documentation required to read (&maintain)
• will be backwards compatible
  • .bandit (ini) users will still be able to use it as they did in the past
  • YAML config users shouldn't have conflicting keys in the first place

What are the drawbacks that I'm not seeing that out weight the benefits?