bandit-baseline.json currently baselines 9 findings.
A baseline is the right way to adopt a scanner on an existing codebase — you stop the bleeding
without blocking on a backlog. But with no review process attached, it quietly becomes a permanent
allowlist, and a genuinely new issue that happens to match a baselined pattern can land without
anyone noticing.
For a security tool, "we suppressed nine findings and nobody remembers why" is a bad answer to give.
Suggested fix
A short SECURITY-BASELINE.md (or a section in CONTRIBUTING) recording, for each of the nine, what
it is and why it's accepted — and a rule that adding a new baseline entry requires that
justification in the PR description.
That turns the baseline from a mute button into an auditable decision log, which for this project is
arguably the whole point.
bandit-baseline.jsoncurrently baselines 9 findings.A baseline is the right way to adopt a scanner on an existing codebase — you stop the bleeding
without blocking on a backlog. But with no review process attached, it quietly becomes a permanent
allowlist, and a genuinely new issue that happens to match a baselined pattern can land without
anyone noticing.
For a security tool, "we suppressed nine findings and nobody remembers why" is a bad answer to give.
Suggested fix
A short
SECURITY-BASELINE.md(or a section in CONTRIBUTING) recording, for each of the nine, whatit is and why it's accepted — and a rule that adding a new baseline entry requires that
justification in the PR description.
That turns the baseline from a mute button into an auditable decision log, which for this project is
arguably the whole point.