Bandit Issue with Pyproject.toml

Question

I'm trying to use pyproject.toml to exclude the venv/ directory. But it is not recognising the option.

[tool.bandit]
exclude = "/venv"

[tool.black]
exclude = "(venv)"

[tool.isort]
profile = "black"
skip = "venv"
balanced_wrapping = true
atomic = true

If I use the CLI option like so:

$ bandit -v -r . --exclude "/venv"

the directory is excluded. But if I just run bandit, it doesn't exclude the directory even though I have it in the pyproject.toml.

My bandit version is: 1.7.1.

Answer 1

exclude did not work for me, so I looked through official docs and found this:

We can specify dirs (and files as well) that we want to exclude in a list format

pyproject.toml:

[tool.bandit]
exclude_dirs = ["venv",]

From this documentation:

"Also you can configure bandit via pyproject.toml file. In this case you would explicitly specify the path to configuration via -c too."

Therefore, CLI option would look like this:

bandit -v -r . -c "pyproject.toml"

(will work without quotes as well)

---

---

I've never used bandit before, so if I got your question wrong - please feel free to write back, we will figure that out :D

Answer 2

To exclude directory venv, this command works fine for me :

bandit -r . -x */venv/*