Add a section explaining "nosec" (#554)

* Add a section explaining "nosec" References #553 * Remove duplicated "in your code"
PyCQA · Jan 7, 2020 · 9b4cf91 · 9b4cf91
1 parent 8ed0a5f
commit 9b4cf91
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/doc/source/config.rst b/doc/source/config.rst
@@ -52,6 +52,22 @@ Note that command line options `-t`/`-s` can still be used in conjunction with
 `tests` and `skips` given in a config. The result is to concatenate `-t` with
 `tests` and likewise for `-s` and `skips` before working out the tests to run.
 
+Suppressing Individual Lines
+----------------------------
+
+If you have lines in your code triggering vulnerability errors and you are
+certain that this is acceptable, they can be individually silenced by appending
+``# nosec`` to the line::
+
+    # The following hash is not used in any security context. It is only used
+    # to generate unique values, collisions are acceptable and "data" is not
+    # coming from user-generated input
+    the_hash = md5(data).hexdigest()  # nosec
+
+
+In such cases, it is good practice to add a comment explaining *why* a given
+line was excluded from security checks.
+
 Generating a Config
 -------------------
 Bandit ships the tool `bandit-config-generator` designed to take the leg work