Merge pull request #1612 from c-goosen/bandit_security_static_analysis

Add bandit code static analyzer for security.

.travis.yml

@@ -21,6 +21,10 @@ matrix:
       python: 3.6
     - env: TOX_ENV=check
       python: 3.6
+    - env: TOX_ENV=security
+      python: 3.7
+      dist: xenial
+      sudo: true
 install:
   - pip install -U tox
   - pip install codecov

sanic/config.py

@@ -80,7 +80,7 @@ class Config(dict):
         module.__file__ = filename
         try:
             with open(filename) as config_file:
-                exec(
+                exec(  # nosec
                     compile(config_file.read(), filename, "exec"),
                     module.__dict__,
                 )

setup.py

@@ -112,7 +112,7 @@ if strtobool(os.environ.get("SANIC_NO_UVLOOP", "no")):
 
 extras_require = {
     "test": tests_require,
-    "dev": tests_require + ["aiofiles", "tox", "black", "flake8"],
+    "dev": tests_require + ["aiofiles", "tox", "black", "flake8", "bandit"],
     "docs": [
         "sphinx",
         "sphinx_rtd_theme",

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = py36, py37, {py36,py37}-no-ext, lint, check
+envlist = py36, py37, {py36,py37}-no-ext, lint, check, security
 
 [testenv]
 usedevelop = True
@@ -31,10 +31,11 @@ deps =
     flake8
     black
     isort
+    bandit
 
 commands =
     flake8 sanic
-    black --config ./.black.toml --check --verbose sanic
+    black --config ./.black.toml --check --verbose sanic/
     isort --check-only --recursive sanic
 
 [testenv:check]
@@ -47,3 +48,10 @@ commands =
 [pytest]
 filterwarnings =
     ignore:.*async with lock.* instead:DeprecationWarning
+
+[testenv:security]
+deps =
+    bandit
+
+commands =
+    bandit --recursive sanic --skip B404,B101 --exclude sanic/reloader_helpers.py