# Bandit configuration for Python security scanning
# https://bandit.readthedocs.io/

[bandit]
exclude_dirs = [
    "/tests/",
    "/.venv/",
    "/venv/",
    "/.git/",
    "/build/",
    "/dist/",
]

[bandit.any_other_function_with_shell_equals_true]
no_shell = [
    "os.execl",
    "os.execle",
    "os.execlp",
    "os.execlpe",
    "os.execv",
    "os.execve",
    "os.execvp",
    "os.execvpe",
    "os.spawnl",
    "os.spawnle",
    "os.spawnlp",
    "os.spawnlpe",
    "os.spawnv",
    "os.spawnve",
    "os.spawnvp",
    "os.spawnvpe",
    "os.startfile"
]
shell = [
    "os.system",
    "os.popen",
    "os.popen2",
    "os.popen3",
    "os.popen4",
    "popen2.popen2",
    "popen2.popen3",
    "popen2.popen4",
    "popen2.Popen3",
    "popen2.Popen4",
    "commands.getoutput",
    "commands.getstatusoutput"
]
subprocess = [
    "subprocess.Popen",
    "subprocess.call",
    "subprocess.check_call",
    "subprocess.check_output",
    "subprocess.run"
]

# Confidence levels: LOW, MEDIUM, HIGH
# Severity levels: LOW, MEDIUM, HIGH

# Keep subprocess checks enabled globally.
# Use inline # nosec suppressions only at audited callsites.

# Test selection
# tests = ["B201", "B301"]

# Enable all tests except those in skips
# tests = []


