fix: misc fixes, use bandit

- use `bandit` instead of `codeql`
- updates docstring
- makes `value` positional only argument

Author: yozachar

.github/workflows/bandit.yml

@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Bandit is a security linter designed to find common security issues in Python code.
+# This action will run Bandit on your codebase.
+# The results of the scan will be found under the Security tab of your repository.
+
+# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+
+name: Bandit
+on:
+  workflow_dispatch:
+  push:
+    branches: ["master"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+  schedule:
+    - cron: "28 12 * * 2"
+
+jobs:
+  bandit:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Bandit Scan
+        uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+        with: # optional arguments
+          # exit with 0, even with results found
+          exit_zero: true # optional, default is DEFAULT
+          # Github token of the repository (automatically created by Github)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+          # File or directory to run bandit on
+          path: ./validators # optional, default is .
+          # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # level: # optional, default is UNDEFINED
+          # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+          # confidence: # optional, default is UNDEFINED
+          # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+          excluded_paths: tests,docs,.github # optional, default is DEFAULT
+          # comma-separated list of test IDs to skip
+          # skips: # optional, default is DEFAULT
+          # path to a .bandit file that supplies command line arguments
+          # ini_path: # optional, default is DEFAULT

.github/workflows/codeql.yml

@@ -28,7 +28,6 @@ classifiers = [
 python = "^3.9"
 
 [tool.poetry.group.dev.dependencies]
-bandit = "^1.7.4"
 black = "^23.1.0"
 flake8 = "^6.0.0"
 flake8-docstrings = "^1.7.0"
@@ -39,6 +38,9 @@ setuptools = "^67.2.0"
 [tool.poetry.group.tests.dependencies]
 pytest = "^7.2.2"
 
+[tool.poetry.group.sast.dependencies]
+bandit = { extras = ["toml"], version = "^1.7.4" }
+
 [tool.poetry.group.docs.dependencies]
 mkdocs = "^1.4.2"
 mkdocs-material = "^9.1.1"
@@ -56,6 +58,9 @@ build-backend = "poetry.core.masonry.api"
 line-length = 100
 target-version = ['py39', 'py310', 'py311']
 
+[tool.bandit]
+exclude_dirs = [".github", ".pytest_cache", ".tox", ".vscode", "tests", "docs"]
+
 [tool.tox]
 legacy_tox_ini = '''
     [tox]

poetry.lock

@@ -0,0 +1 @@
+"""Tests."""

pyproject.toml

@@ -9,7 +9,7 @@
 
 
 @validator
-def md5(value: str):
+def md5(value: str, /):
     """Return whether or not given value is a valid MD5 hash.
 
     Examples:
@@ -19,7 +19,8 @@ def md5(value: str):
         # Output: ValidationFailure(func=md5, args={'value': '900zz11'})
 
     Args:
-        value: MD5 string to validate.
+        value:
+            MD5 string to validate.
 
     Returns:
         (Literal[True]):
@@ -33,7 +34,7 @@ def md5(value: str):
 
 
 @validator
-def sha1(value: str):
+def sha1(value: str, /):
     """Return whether or not given value is a valid SHA1 hash.
 
     Examples:
@@ -43,7 +44,8 @@ def sha1(value: str):
         # Output: ValidationFailure(func=sha1, args={'value': '900zz11'})
 
     Args:
-        value: SHA1 string to validate.
+        value:
+            SHA1 string to validate.
 
     Returns:
         (Literal[True]):
@@ -57,7 +59,7 @@ def sha1(value: str):
 
 
 @validator
-def sha224(value: str):
+def sha224(value: str, /):
     """Return whether or not given value is a valid SHA224 hash.
 
     Examples:
@@ -67,7 +69,8 @@ def sha224(value: str):
         # Output: ValidationFailure(func=sha224, args={'value': '900zz11'})
 
     Args:
-        value: SHA224 string to validate.
+        value:
+            SHA224 string to validate.
 
     Returns:
         (Literal[True]):
@@ -81,7 +84,7 @@ def sha224(value: str):
 
 
 @validator
-def sha256(value: str):
+def sha256(value: str, /):
     """Return whether or not given value is a valid SHA256 hash.
 
     Examples:
@@ -94,7 +97,8 @@ def sha256(value: str):
         # Output: ValidationFailure(func=sha256, args={'value': '900zz11'})
 
     Args:
-        value: SHA256 string to validate.
+        value:
+            SHA256 string to validate.
 
     Returns:
         (Literal[True]):
@@ -108,7 +112,7 @@ def sha256(value: str):
 
 
 @validator
-def sha512(value: str):
+def sha512(value: str, /):
     """Return whether or not given value is a valid SHA512 hash.
 
     Examples:
@@ -122,7 +126,8 @@ def sha512(value: str):
         # Output: ValidationFailure(func=sha512, args={'value': '900zz11'})
 
     Args:
-        value: SHA512 string to validate.
+        value:
+            SHA512 string to validate.
 
     Returns:
         (Literal[True]):

tests/__init__.py

@@ -21,7 +21,7 @@ def _mod_check(value: str):
 
 
 @validator
-def iban(value: str):
+def iban(value: str, /):
     """Return whether or not given value is a valid IBAN code.
 
     Examples:
@@ -31,7 +31,8 @@ def iban(value: str):
         # Output: ValidationFailure(func=iban, ...)
 
     Args:
-        value: IBAN string to validate.
+        value:
+            IBAN string to validate.
 
     Returns:
         (Literal[True]):

validators/hashes.py

@@ -9,7 +9,7 @@
 
 
 @validator
-def mac_address(value: str):
+def mac_address(value: str, /):
     """Return whether or not given value is a valid MAC address.
 
     This validator is based on [WTForms MacAddress validator][1].
@@ -24,7 +24,7 @@ def mac_address(value: str):
 
     Args:
         value:
-            A string to validate.
+            MAC address string to validate.
 
     Returns:
         (Literal[True]):

validators/iban.py

@@ -9,7 +9,7 @@
 
 
 @validator
-def slug(value: str):
+def slug(value: str, /):
     """Validate whether or not given value is valid slug.
 
     Valid slug can contain only lowercase alphanumeric characters and hyphens.
@@ -23,7 +23,7 @@ def slug(value: str):
 
     Args:
         value:
-            A string to validate.
+            Slug string to validate.
 
     Returns:
         (Literal[True]):

validators/mac_address.py

@@ -10,7 +10,7 @@
 
 
 @validator
-def uuid(value: Union[str, UUID]):
+def uuid(value: Union[str, UUID], /):
     """Return whether or not given value is a valid UUID-v4 string.
 
     This validator is based on [WTForms UUID validator][1].
@@ -25,7 +25,7 @@ def uuid(value: Union[str, UUID]):
 
     Args:
         value:
-            A string or UUID object to validate.
+            UUID string or object to validate.
 
     Returns:
         (Literal[True]):