Skip to content

[CHORE] bandit-baseline.json suppresses 9 findings with no review process #603

Description

@SakethSumanBathini

bandit-baseline.json currently baselines 9 findings.

A baseline is the right way to adopt a scanner on an existing codebase — you stop the bleeding
without blocking on a backlog. But with no review process attached, it quietly becomes a permanent
allowlist, and a genuinely new issue that happens to match a baselined pattern can land without
anyone noticing.

For a security tool, "we suppressed nine findings and nobody remembers why" is a bad answer to give.

Suggested fix

A short SECURITY-BASELINE.md (or a section in CONTRIBUTING) recording, for each of the nine, what
it is and why it's accepted — and a rule that adding a new baseline entry requires that
justification in the PR description.

That turns the baseline from a mute button into an auditable decision log, which for this project is
arguably the whole point.

Metadata

Metadata

Labels

bugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions