Run bandit when verifying changes

It reports only MEDIUM issues or higher like nova [1].
It selects bandit 1.1.0 as defined in nova and neutron lower
constraints [2].

[1] https://github.com/openstack/nova/blob/master/tox.ini#L221
[2] https://github.com/openstack/nova/blob/master/lower-constraints.txt#L8

Change-Id: I6fc505f684701792d3e03659eb0feea8321452c0
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>

3 files changed, 8 insertions, 1 deletions

diff --git a/test-requirements.txt b/test-requirements.txt
index eedefcd43..db30c7f85 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -14,3 +14,4 @@ doc8 # Apache-2.0
 bashate # Apache-2.0
 lfdocs-conf
 sphinx-opnfv-theme
+bandit
diff --git a/tox.ini b/tox.ini
index 4eb20a81e..0e95bab0f 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = docs,pep8,pylint,yamllint,ansiblelint,bashate,py27,perm,cover
+envlist = docs,pep8,pylint,yamllint,ansiblelint,bashate,bandit,py27,perm,cover
 
 [testenv]
 usedevelop = True
@@ -75,6 +75,11 @@ files =
   build.sh
 commands = bashate {[testenv:bashate]files}
 
+
+[testenv:bandit]
+basepython = python2.7
+commands = bandit -r functest -x tests -n 5 -ll -s B601,B602
+
 [testenv:cover]
 basepython = python2.7
 dirs =
diff --git a/upper-constraints.txt b/upper-constraints.txt
index 7c9f24f20..3c3e24f39 100644
--- a/upper-constraints.txt
+++ b/upper-constraints.txt
@@ -18,3 +18,4 @@ ansible===2.3.2.0
 xtesting===0.62.0
 git+https://git.openstack.org/openstack/networking-bgpvpn#egg=networking_bgpvpn
 git+https://git.openstack.org/openstack/networking-sfc#egg=networking_sfc
+bandit===1.1.0