From 2ca2a4a776196cdad57c0ecc78b27a3648d9ac7c Mon Sep 17 00:00:00 2001 From: Ho1yShif Date: Sun, 12 Jul 2026 21:05:46 -0700 Subject: [PATCH] Fix broken bandit pre-commit hook (Unknown test found in profile) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upstream PyCQA/bandit pre-commit hook installs bandit from a shallow git clone, where pbr resolves the package version to 0.0.0. That broken metadata breaks bandit's plugin-id registration, so config load fails with "Unknown test found in profile: B104" on *every* commit — blocking commits and CI for anyone using the repo. (Pinning additional_dependencies to a real version instead surfaces the same root cause as a hard pip conflict: "bandit 0.0.0 ... and bandit==1.9.4 have conflicting dependencies".) Switch to a repo:local python hook that installs a properly built PyPI wheel (bandit[toml]==1.9.4). Verified: `pre-commit run bandit --all-files` now passes; the pyproject skips list was always valid. Co-Authored-By: Claude Opus 4.8 (1M context) --- .pre-commit-config.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b5dfec8..b407c87 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -81,13 +81,20 @@ repos: # - id: pip-audit # args: ["--desc", "on"] - - repo: https://github.com/PyCQA/bandit - rev: 1.8.0 + # Installed from PyPI via a local hook: the upstream PyCQA/bandit pre-commit + # repo builds from a shallow git clone where pbr resolves the version to + # 0.0.0, which breaks plugin-id registration ("Unknown test found in + # profile: B104"). A local python hook pulls a properly built wheel instead. + - repo: local hooks: - id: bandit + name: bandit + entry: bandit + language: python + types: [python] args: [-c, pyproject.toml, -q] exclude: ^tests/ - additional_dependencies: ["bandit[toml]"] + additional_dependencies: ["bandit[toml]==1.9.4"] # ============================================ # Type checking