Inspired by tools like the ESLint plugin for React, Bento was created for Flask and Django. With Bento you’ll:
In a Git project directory:
$ pip3 install bento-cli && bento init
Go forth and write great code!
See our Bento introductory blog post to learn the full story.
Bento is part of a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found Heartbleed, or Zoncolan at Facebook, which finds more top-severity security issues than any human effort. These tools find severe issues and also save tons of time, identifying hundreds of thousands of issues before humans can. Bento is a step towards universal access to tools like these.
We’re also big proponents of opinionated tools like Black and Prettier. This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See Three things your linter shouldn’t tell you for more about our decision making process.
Bento’s check focus on security and reliability bugs in Flask and Django projects.
|missing JWT token||href template variable||coming soon|
|secure set cookie||missing noopener|
|send file open||missing noreferrer||Docker|
|unescaped file extension||missing csrf protection||Hadolint|
|use blueprint for modularity||missing doctype|
|use jsonify||meta charset||Shell|
|avoid hardcoded config||meta content-type||ShellCheck|
|unquoted attribute template variable|
|no auth over http||SQLAlchemy|
|use scheme||coming soon|
See the full list of Bento’s specialty checks.
Out-of-the-box, Bento is configured for your personal use. See Team Use to setup Bento for all contributors.
$ pip3 install --upgrade bento-cli
$ bento --help Usage: bento [OPTIONS] COMMAND [ARGS]... Options: -h, --help Show this message and exit. --version Show the version and exit. --agree Automatically agree to terms of service. --email TEXT Email address to use while running this command without global configs e.g. in CI Commands: archive Suppress current findings. check Checks for new findings. disable Turn OFF a Bento feature for this project. enable Turn ON a Bento feature for this project. init Autodetects and installs tools. To get help for a specific command, run `bento COMMAND --help`
bento check may exit with the following exit codes:
0: Bento ran successfully and found no errors
2: Bento ran successfully and found issues in your code
3: Bento or one of its underlying tools failed to run
Bento understands the importance of getting out of the way so you can write your code. It runs at commit-time on your diffs and only affects you; it won’t change anything for other project contributors or modify Git state.
autorun behind the scenes. By default
autorun blocks the commit if Bento returns findings. To make it non-blocking:
$ bento enable autorun --no-block
You can always manually run Bento on staged files or directories via:
$ bento check [PATHS]
This will show only new findings introduced by these files AND that are not in the archive (
--all to check all Git tracked files, not just those that are staged:
$ bento check --all [PATHS]
This feature makes use of Git hooks. If the Bento hook incorrectly blocks your commit, you can skip it by passing the
--no-verify flag to Git at commit-time (please use this sparingly since all hooks will be skipped):
$ git commit --no-verify
To setup Bento for all project contributors, add Bento’s configuration to Git (it’s ignored by default):
$ cd <PROJECT DIRECTORY> # Add Bento's cache to the project's .gitignore $ echo ".bento/cache" >> .gitignore # Commit Bento's config to your project $ git add --force .bento .bentoignore
Contributors can run Bento for themselves using the project’s configuration via:
$ bento init
Bento has first-class support for checking pull requests with GitHub Actions. Such checks will report only on the bugs introduced by the changes in the pull request.
To get started, just run
bento enable ci in your project directory.
This will add a CI configuration file to your repository.
You can also configure Bento in CI to analyze your entire project,
instead of only the changes from a pull request.
So that you don’t have to fix all existing issues before making Bento blocking,
archive feature allows historical issues to be tracked and ignored during CI.
To use the
archive feature so Bento returns a non-zero exit code only for new issues, rather than all existing issues, first create the archive:
$ cd <PROJECT DIRECTORY> $ bento archive .
Commit Bento’s configuration to the project:
# Add Bento's cache to the project's .gitignore $ echo ".bento/cache" >> .gitignore # Commit Bento's config to your project $ git add --force .bento .bentoignore
You can then add Bento to your CI scripts:
$ pip3 install bento-cli && bento --version $ bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat
We pipe through
cat to disable Bento's interactive tty features (e.g. progress bars, using a pager for many findings).
If you use CircleCI, the above commands become:
version: 2.1 jobs: bentoCheck: executor: circleci/python:3.7.4-stretch-node steps: - checkout - run: name: "Install Bento" command: pip3 install bento-cli && bento --version - run: name: "Run Bento check" command: bento --agree --email=<YOUR_EMAIL> check --all 2>&1 | cat
bento check will exit with a non-zero exit code if it finds issues in your code (see Exit Codes).
If you need help setting up Bento with another CI provider please open an issue. Documentation PRs welcome if you set up Bento with a CI provider that isn’t documented here!
Need help or want to share feedback? We’d love to hear from you!
We’re constantly shipping new features and improvements.
Please refer to the terms and privacy document.
Copyright (c) r2c.