Enable Ruff's flake8-bandit checks

pyproject.toml

@@ -161,6 +161,9 @@ ignore = [
     "PGH003",
     # pylint
     "PLC2201",
+    # flake8-bandit
+    "S101",  # assert used
+    "S105",  # possible hardcoded password
 ]
 external = [  # Whitelist for RUF100 unkown code warnings
     "E704",
@@ -179,6 +182,7 @@ select = [
     "PLE", # pylint
     "PLR", # pylint
     "PLW", # pylint
+    "S",   # flake8-bandit
     "SIM", # flake8-simplify
     "RUF100",  # yesqa
 ]

sphinx/config.py

@@ -347,7 +347,7 @@ def eval_config_file(filename: str, tags: Optional[Tags]) -> Dict[str, Any]:
         try:
             with open(filename, 'rb') as f:
                 code = compile(f.read(), filename.encode(fs_encoding), 'exec')
-                exec(code, namespace)
+                exec(code, namespace)  # NoQA: S102
         except SyntaxError as err:
             msg = __("There is a syntax error in your configuration file: %s\n")
             raise ConfigError(msg % err) from err

sphinx/ext/doctest.py

@@ -382,10 +382,10 @@ Doctest summary
             condition = node['skipif']
             context: Dict[str, Any] = {}
             if self.config.doctest_global_setup:
-                exec(self.config.doctest_global_setup, context)
+                exec(self.config.doctest_global_setup, context)  # NoQA: S102
             should_skip = eval(condition, context)  # NoQA: PGH001
             if self.config.doctest_global_cleanup:
-                exec(self.config.doctest_global_cleanup, context)
+                exec(self.config.doctest_global_cleanup, context)  # NoQA: S102
             return should_skip
 
     def test_doc(self, docname: str, doctree: Node) -> None:

tests/test_quickstart.py

@@ -100,7 +100,7 @@ def test_quickstart_defaults(tempdir):
     conffile = tempdir / 'conf.py'
     assert conffile.isfile()
     ns = {}
-    exec(conffile.read_text(encoding='utf8'), ns)
+    exec(conffile.read_text(encoding='utf8'), ns)  # NoQA: S102
     assert ns['extensions'] == []
     assert ns['templates_path'] == ['_templates']
     assert ns['project'] == 'Sphinx Test'
@@ -150,7 +150,7 @@ def test_quickstart_all_answers(tempdir):
     conffile = tempdir / 'source' / 'conf.py'
     assert conffile.isfile()
     ns = {}
-    exec(conffile.read_text(encoding='utf8'), ns)
+    exec(conffile.read_text(encoding='utf8'), ns)  # NoQA: S102
     assert ns['extensions'] == [
         'sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.todo'
     ]
@@ -231,7 +231,7 @@ def test_default_filename(tempdir):
     conffile = tempdir / 'conf.py'
     assert conffile.isfile()
     ns = {}
-    exec(conffile.read_text(encoding='utf8'), ns)
+    exec(conffile.read_text(encoding='utf8'), ns)  # NoQA: S102
 
 
 def test_extensions(tempdir):
@@ -241,7 +241,7 @@ def test_extensions(tempdir):
     conffile = tempdir / 'conf.py'
     assert conffile.isfile()
     ns = {}
-    exec(conffile.read_text(encoding='utf8'), ns)
+    exec(conffile.read_text(encoding='utf8'), ns)  # NoQA: S102
     assert ns['extensions'] == ['foo', 'bar', 'baz']