From 3addcaf9440fadf6a9fc8f33cbd2f64fd7b0cc19 Mon Sep 17 00:00:00 2001
From: Tonye Jack <jtonye@ymail.com>
Date: Thu, 17 Dec 2020 16:33:44 -0500
Subject: [PATCH] Updated github action adding bandit.

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Update ci.yml

Create .bandit

Update .bandit

Fix security issues

Resolved security warnings.

Run black.
---
 .bandit                   |  3 +++
 .github/workflows/ci.yml  |  7 +++++++
 hooks/post_gen_project.py |  2 +-
 setup.py                  | 15 +++++++++++----
 4 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 .bandit

diff --git a/.bandit b/.bandit
new file mode 100644
index 000000000..e2ba3f0d8
--- /dev/null
+++ b/.bandit
@@ -0,0 +1,3 @@
+[bandit]
+skips: B101
+exclude: {{cookiecutter.project_slug}}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fd9668459..01e8d6d3b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,13 @@ on:
   pull_request:
 
 jobs:
+  bandit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run bandit
+        uses: tj-actions/bandit@v1.2
+
   tox:
     runs-on: ubuntu-latest
     strategy:
diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py
index ede14c324..c7a694eab 100644
--- a/hooks/post_gen_project.py
+++ b/hooks/post_gen_project.py
@@ -156,7 +156,7 @@ def generate_random_string(
         unsuitable = {"'", '"', "\\", "$"}
         suitable = all_punctuation.difference(unsuitable)
         symbols += "".join(suitable)
-    return "".join([random.choice(symbols) for _ in range(length)])
+    return "".join([random.choice(symbols) for _ in range(length)])  # nosec
 
 
 def set_flag(file_path, flag, value=None, formatted=None, *args, **kwargs):
diff --git a/setup.py b/setup.py
index c72ba1c9d..0bfe73ab4 100644
--- a/setup.py
+++ b/setup.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 
-import os
+import shlex
+import subprocess  # nosec
 import sys
 
 try:
@@ -12,10 +13,16 @@ except ImportError:
 # If Django has a new release, we branch, tag, then update this setting after the tag.
 version = "3.0.11"
 
+
+def run_command(command):
+    args = shlex.split(command, posix=False)
+    return subprocess.check_output(args, shell=False)  # nosec
+
+
 if sys.argv[-1] == "tag":
-    os.system(f'git tag -a {version} -m "version {version}"')
-    os.system("git push --tags")
-    sys.exit()
+    run_command('git tag -a {version} -m "version {version}"'.format(version=version))
+    run_command("git push --tags")
+    sys.exit(0)
 
 with open("README.rst") as readme_file:
     long_description = readme_file.read()