Add more static checkers (bandit, codespell, vulture)

alexreinking · alexreinking · commit 8ce523260507 · 2026-02-12T23:09:40.000-05:00
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -24,3 +24,33 @@ jobs:
         run: |
           uv sync
           uv run --package master ty check master/master.cfg master/custom_steps.py
+
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run bandit
+        run: |
+          pip install bandit
+          bandit -c pyproject.toml -r master/master.cfg master/custom_steps.py master/buildbot.tac worker/buildbot.tac
+
+  codespell:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run codespell
+        run: |
+          pip install codespell
+          codespell
+
+  vulture:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run vulture
+        run: |
+          pip install vulture
+          vulture master/master.cfg master/custom_steps.py master/buildbot.tac worker/buildbot.tac
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,6 +10,23 @@ repos:
       - id: ruff-check
         args: [--fix]
       - id: ruff-format
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.9.3
+    hooks:
+      - id: bandit
+        args: ["-c", "pyproject.toml"]
+
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.1
+    hooks:
+      - id: codespell
+
+  - repo: https://github.com/jendrikseipp/vulture
+    rev: v2.14
+    hooks:
+      - id: vulture
+        pass_filenames: false
+
   - repo: local
     hooks:
       - id: ty-check
diff --git a/master/custom_steps.py b/master/custom_steps.py
@@ -1,4 +1,4 @@
-import xml.etree.ElementTree as Xml
+import xml.etree.ElementTree as Xml  # nosec B405 -- XML comes from trusted CTest output
 
 from buildbot.process.buildstep import BuildStepFailed, BuildStep, ShellMixin
 from buildbot.steps.worker import CompositeStepMixin
@@ -68,7 +68,7 @@ def run(self):
         ctest_log = yield self.getFileContentFromWorker(xml_results[0], abandonOnFailure=True)
 
         # Parse the result, collecting test failures into more convenient logs.
-        root = Xml.fromstring(ctest_log)
+        root = Xml.fromstring(ctest_log)  # nosec B314 -- XML comes from trusted CTest output
 
         for test in root.findall(".//Test[@Status='failed']"):
             log = yield self.addLog(test.findtext("Name", "unknown"))
diff --git a/pyproject.toml b/pyproject.toml
@@ -30,5 +30,18 @@ include = ["master/custom_steps.py"]
 # BuilderConfig gets a dynamic `builder_type` attribute attached
 unresolved-attribute = "warn"
 
+[tool.bandit]
+targets = ["master/master.cfg", "master/custom_steps.py", "master/buildbot.tac", "worker/buildbot.tac"]
+skips = [
+    "B101",  # assert_used: asserts are intentional for config validation
+]
+
+[tool.vulture]
+paths = ["master/master.cfg", "master/custom_steps.py", "master/buildbot.tac", "worker/buildbot.tac"]
+min_confidence = 80
+
+[tool.codespell]
+skip = ".venv,*.pyc,__pycache__"
+
 [tool.uv.workspace]
 members = ["master", "worker"]
