# Bandit configuration for pyopenapi-gen

# Skip these specific checks that are acceptable for this project:
# B101: assert_used - We use assertions for Design by Contract (DbC) as documented
# B404: import_subprocess - We need subprocess for post-processing (ruff, mypy) 
# B603: subprocess_without_shell_equals_true - We use controlled subprocess calls to trusted tools
# B110: try_except_pass - Acceptable for telemetry error handling
skips:
  - B101
  - B404
  - B603
  - B110

# Only scan source code, not tests (tests may have different security requirements)
exclude_dirs:
  - tests/
  - _process/
  - venv/
  - .venv/

# Set confidence level to only report medium and high confidence issues
confidence: MEDIUM