Bandit for security

[suhacker1]

We should be concerned about the numerous security issues associated with Python code. However, there seem to be minimal security checks within the current development process. It would be nice if we implemented Bandit to provide stronger security guarantees with PySyft. I believe it would be optimal if we first implemented it as a GitHub action and then iterated upon the linter itself for future security issues.

[karlhigley]

We’re not quite migrated over to Github Actions yet, so we’d currently need to incorporate it into the Travis CI testing process. @suhacker1 would you be interested in setting up a bandit config and adding it to our Travis build process?

[karlhigley]

Did a test run with bandit (skipping the check for assert) and it does find a few things.

[suhacker1]

I'm good with setting up a bandit config and adding it to the Travis build process. Do you think it would be a good idea to create an issue for everything Bandit finds?

[karlhigley]

I'd probably just create a single issue. Having looked at the Bandit output, I think we probably care most about medium-high severity issues, and it would be nice to find a way to prevent low severity issues (mostly asserts) from breaking the build.

[karlhigley]

I'm working on creating Github Actions for the build over here, so it's probably fine to go with a GH action instead of Travis.

[suhacker1]

Bandit is contained within the tests.yml file; should this issue now be closed?