# Bandit configuration file for ekfsm
# Security linter for Python code

# Directories and files to scan
targets:
  - ekfsm

# Directories and files to exclude from scanning
exclude_dirs:
  - tests
  - docs
  - .devenv
  - .direnv
  - __pycache__
  - .mypy_cache
  - .pytest_cache
  - hack
  - scripts

# Test IDs to skip (uncomment and modify as needed)
# skips:
#   - B101
#   - B601

# Test IDs to include (leave empty to include all)
# tests:

# Confidence levels: LOW, MEDIUM, HIGH
confidence: MEDIUM

# Severity levels: LOW, MEDIUM, HIGH
severity: MEDIUM

# Output format: csv, custom, html, json, screen, txt, xml, yaml
format: screen

# Recursive scan
recursive: true

# Common security checks:
# - B101: assert_used - Skip if asserts are acceptable in your production code
# - B201: flask_debug_true - Skip if using Flask debug mode is intentional
# - B301: pickle - Skip if pickle usage is intentional and secure
# - B403: import_subprocess - Skip if subprocess usage is intentional and secure
# - B404: import_subprocess - Skip if subprocess usage is intentional and secure
# - B603: subprocess_without_shell_equals_true - Skip if subprocess usage is secure
# - B607: start_process_with_partial_path - Skip if partial paths are acceptable

# Additional notes:
# - Review any HIGH severity issues immediately
# - MEDIUM severity issues should be evaluated for security impact
# - LOW severity issues are suggestions for best practices
