Is your feature request related to a problem? Please describe.
Yes. Currently, when running bandit at more strict levels, e.g., bandit -lll -iii ..., the pass/fail status of the run will be evaluated based on the results at the higher level and confidence, but issues at lower levels and confidences are effectively ignored outside of showing up in the count of run metrics. For example, I have a codebase that has one issue showing up at -lll -iii and 22 issues that only exist at -l —I'd like to know about all of them, but only fail (return non-zero) on the ones at the level I've configured.
I've briefly looked into writing a more verbose formatter, but it looks like details for issues are only kept if they're at the configured level, so I don't think I can just have it print out everything. Currently I'm thinking about running bandit -lll -iii and reporting our status on that and then also running bandit -l -i but ignoring the exit code just to get a full log.
Describe the solution you'd like
Ideally a flag exists, or perhaps this is a utilization of the --verbose flag, that enables issues of all severities and confidences to be logged while continuing to only set an exit code of the cli based on the requested severity/confidence.
Describe alternatives you've considered
As mentioned before, I looked at writing a verbose formatter, but it doesn't look like that'd do the trick. It seems like perhaps a change would have to happen in the manager first before formatters could do something with the issue list to decide whether or not to log them.
Is your feature request related to a problem? Please describe.
Yes. Currently, when running bandit at more strict levels, e.g.,
bandit -lll -iii ..., the pass/fail status of the run will be evaluated based on the results at the higher level and confidence, but issues at lower levels and confidences are effectively ignored outside of showing up in the count of run metrics. For example, I have a codebase that has one issue showing up at-lll -iiiand 22 issues that only exist at-l—I'd like to know about all of them, but only fail (return non-zero) on the ones at the level I've configured.I've briefly looked into writing a more verbose formatter, but it looks like details for issues are only kept if they're at the configured level, so I don't think I can just have it print out everything. Currently I'm thinking about running
bandit -lll -iiiand reporting our status on that and then also runningbandit -l -ibut ignoring the exit code just to get a full log.Describe the solution you'd like
Ideally a flag exists, or perhaps this is a utilization of the
--verboseflag, that enables issues of all severities and confidences to be logged while continuing to only set an exit code of the cli based on the requested severity/confidence.Describe alternatives you've considered
As mentioned before, I looked at writing a verbose formatter, but it doesn't look like that'd do the trick. It seems like perhaps a change would have to happen in the manager first before formatters could do something with the issue list to decide whether or not to log them.