From Bandit Launchpad blueprints:
https://blueprints.launchpad.net/bandit/+spec/log-to-stderr
As noted on https://review.openstack.org/#/c/167522/1/bandit/bandit.py, when we're logging to the console, we should choose to log to stderr instead of stdout. This allows users to collect the logging separately from the generated output. In the case of the review, when generating logs and formatting the output as JSON, we likely still want logging information but we don't want it breaking the JSON format. In this case if we defaulted to logging to stderr (instead of stdout), the tool could still be used like so:
$ bandit -f json src/ > output.json
From Bandit Launchpad blueprints:
https://blueprints.launchpad.net/bandit/+spec/log-to-stderr
As noted on https://review.openstack.org/#/c/167522/1/bandit/bandit.py, when we're logging to the console, we should choose to log to stderr instead of stdout. This allows users to collect the logging separately from the generated output. In the case of the review, when generating logs and formatting the output as JSON, we likely still want logging information but we don't want it breaking the JSON format. In this case if we defaulted to logging to stderr (instead of stdout), the tool could still be used like so: