Skip to content

Fix broken bandit pre-commit hook (Unknown test found in profile)#1

Open
Ho1yShif wants to merge 1 commit into
mainfrom
fix/bandit-precommit-hook
Open

Fix broken bandit pre-commit hook (Unknown test found in profile)#1
Ho1yShif wants to merge 1 commit into
mainfrom
fix/bandit-precommit-hook

Conversation

@Ho1yShif

Copy link
Copy Markdown
Collaborator

Problem

pre-commit run bandit fails at config load on every file:

[main] ERROR  Unknown test found in profile: B104

B104 (and the rest of the skips list in pyproject.toml) are all valid bandit test IDs — so the config content was never the bug. The real cause is in the hook's install:

  • The upstream PyCQA/bandit pre-commit repo builds bandit from a shallow git clone, where pbr can't read the tag and resolves the version to 0.0.0.
  • That broken version metadata breaks bandit's plugin-id registration, so valid IDs like B104 read as "unknown" and config load aborts (exit 2).
  • Pinning additional_dependencies: ["bandit[toml]==1.9.4"] on the same hook just surfaces the same root cause as a hard pip conflict: bandit 0.0.0 (from repo) and bandit==1.9.4 have conflicting dependencies.

This blocked commits and CI for everyone — both prior template PRs had to use git commit --no-verify.

Fix

Replace the upstream git hook with a repo: local python hook that installs a properly built PyPI wheel (bandit[toml]==1.9.4) instead of the broken git-source build. All args/excludes are preserved.

Verification

$ pre-commit clean && pre-commit run bandit --all-files
bandit...................................................................Passed

No change to pyproject.toml — the [tool.bandit] skips list was always correct.

🤖 Generated with Claude Code

The upstream PyCQA/bandit pre-commit hook installs bandit from a shallow
git clone, where pbr resolves the package version to 0.0.0. That broken
metadata breaks bandit's plugin-id registration, so config load fails with
"Unknown test found in profile: B104" on *every* commit — blocking commits
and CI for anyone using the repo. (Pinning additional_dependencies to a real
version instead surfaces the same root cause as a hard pip conflict:
"bandit 0.0.0 ... and bandit==1.9.4 have conflicting dependencies".)

Switch to a repo:local python hook that installs a properly built PyPI wheel
(bandit[toml]==1.9.4). Verified: `pre-commit run bandit --all-files` now
passes; the pyproject skips list was always valid.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant