Free program analysis focused on bugs that matter to you.

Install, configure, and adopt Bento in seconds. Runs 100% locally.

Bento is a free and opinionated toolkit for gradually adopting linters¹ and program analysis² in your codebase. Be the bug-squashing advocate your team needs but (maybe) doesn’t deserve.

• Find bugs that matter. Bento automatically enables and configures relevant analysis based on your dependencies and frameworks, and it will never report style-related issues. You won’t painstakingly configure your tooling.
• Get started immediately. Bento doesn’t force you to fix all your preexisting issues today. Instead, you can archive them and address them incrementally when it makes sense for your project.
• Go fast. Bento installs in 5 seconds and self-configures in less than 30. Its tools check your code in parallel, not sequentially.

Bento includes checks written by r2c and curated from Bandit, ESLint, Flake8, and their plugins. It runs on your local machine and never sends your code anywhere or to anyone.

Installation

$ pip3 install bento-cli

Bento is for JavaScript, TypeScript, and Python projects. It requires Python 3.6+ and works on macOS Mojave (10.14) and Ubuntu 18.04+.

Usage

To get started right away with sensible defaults:

$ bento init && bento check

To set aside preexisting results so you only see issues in new code:

$ bento archive

Bento is at its best when run automatically as a commit hook (i.e. bento install-hook) or as part of CI.

Exit Codes

bento check may exit with the following exit codes:

• 0: Bento ran successfully and found no errors
• 2: Bento ran successfully and found issues in your code
• 3: Bento or one of its underlying tools failed to run

Running Bento in CI

If you use CircleCI, add the following job:

version: 2.1

jobs:
    bentoCheck:
    executor: circleci/python:3.7.4-stretch-node
    steps:
      - checkout
      - run:
          name: "Install Bento"
          command: pip3 install bento-cli && bento --version
      - run:
          name: "Run Bento check"
          command: bento --agree --email <YOUR_EMAIL> check

Otherwise, you can simply install and run Bento in CI with the following commands:

pip3 install bento-cli && bento --version
bento --agree --email <YOUR_EMAIL> check

bento check will exit with a non-zero exit code if it finds issues in your code (see Exit Codes). You can run bento --agree --email <YOUR_EMAIL> check || true if you'd like to prevent Bento from blocking your build. Otherwise, address the issues or unblock yourself by running bento archive.

Please open an issue if you need help setting up Bento with another CI provider. If you set up Bento with your provider of choice, we'd appreciate a PR to add instructions here!

Command Line Options

$ bento --help

Usage: bento [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show current Bento version.
  --agree    Automatically agree to terms of service.
  --help     Show this message and exit.

Commands:
  archive       Adds all current findings to the whitelist.
  check         Checks for new findings.
  disable       Disables a check.
  enable        Enables a check.
  init          Autodetects and installs tools.
  install-hook  Installs Bento as a git pre-commit hook.

Help and Community

• Need help or want to share feedback? Reach out to us at support@r2c.dev. We’d love to hear from you! 💌
• Join #bento in our community Slack for support, to talk with other users, and share feedback. 🤝
• We’re shipping new Bento features all the time. Want to be first to know about what’s new? Sign up for the newsletter so you don’t miss out! We promise not to spam you, and you can unsubscribe at any time. 📫
• We’re fortunate to benefit from the contributions of the open source community and great projects such as Bandit, ESLint, Flake8, and their plugins. 🙏
• You’re also welcome to file an issue directly on GitHub. Or submit a feature request — we welcome those, too!

License and Legal

Please refer to the terms and privacy document.

Copyright (c) r2c.

Changelog

This project adheres to Semantic Versioning.

[0.5.0] - 2019-11-18

Fixed

• r2c.eslint now properly detects TypeScript imports.
• r2c.eslint now detects global node environments (e.g., jest), and properly resolves their global variables.

Changed

• To better protect users' data, error messages are no longer reported to our backend.
• .bentoignore can now be configured to include patterns from other files; by default the contents of the project's .gitignore are included. For more information, please see the comments at the top of the generated .bentoignore file.
• Tab completion times reduced by approximately half.
• Disabled a number of r2c.eslint checks by default:
  • arrow-parens, as it conflicts with Prettier's default behavior.
  • TypeScript semicolon checking, which is stylistic.
  • import/no-cycle which takes 50% of tool runtime on moderately large code bases.
• r2c.flake8 E306 disabled by default, as it is stylistic in nature.
• Runtime of r2c.eslint has been reduced by up to 30% for some projects.

Added

• Added r2c.shellcheck tool for shell scripts. To enable, add r2c.shellcheck to the tools section of your .bento.yml. Note that this tool requires docker as a dependency.
• Added r2c.hadolint tool for Docker files. To enable, add r2c.hadolint to the tools section of your .bento.yml. Note that this tool requires docker to be installed in order to run.

[0.4.1] - 2019-11-14

Fixed

• Fixes a performance regression due to changes in metrics collection.

[0.4.0] - 2019-11-11

Changed

• We updated our privacy policy.
  • Notably, we collect email addresses to understand usage and communicate with users through product announcements, technical notices, updates, security alerts, and support messages.

Added

• Added additional r2c.click tool for Click framework:

  • flake8-click will be disabled by default.

• Added additional r2c.flask tool for Flask framework:

  • flake8-flask will be disabled by default.

[0.3.1] - 2019-11-08

Fixed

• Fixed an issue where the tool would fail to install if a macOS user had installed gcc and then upgraded their OS.
• Fixed a compatibility issue for users with a pre-existing version of GitPython with version between 2.1.1 and 2.1.13.

[0.3.0] - 2019-11-01

Changed

• Bento can now be run from any subdirectory within a project.
• Updated the privacy and terms-of-service statement.

Added

• File ignores are configurable via git-style ignore patterns (include patterns are not supported). Patterns should be added to .bentoignore.

• Added additional checks to the r2c.flake8 tool:

  • All checks from flake8-bugbear (except for B009 and B010, which are stylistic in nature).
  • All checks from flake8-builtins.
  • All checks from flake8-debugger.
  • All checks from flake8-executable.

• Clippy output formatting is now supported.

  • To enable, run: bento check --formatter clippy
  • Example output:

error: r2c.flake8.E113
   --> foo.py:6:5
    |
  6 |   return x
    |
    = note: unexpected indentation

• Autocompletion is now supported from both bash and zsh. To use:
  • In bash, run echo -e '\neval "$(_BENTO_COMPLETE=source bento)"' >> ~/.bashrc.
  • In zsh, run echo -e '\neval "$(_BENTO_COMPLETE=source_zsh bento)"' >> ~/.zshrc.

[0.2.1] - 2019-10-29

Fixed

• Quoted emails in git configuration do not break user registration.
• Removed files properly invalidate results cache.
• Python tools do not crawl node_modules.

[0.2.0] - 2019-10-23

Changed

• Results are cached between runs. This means that an immediate rerun of bento will be much faster.
• Broadened library compatibility, especially for common packages:
  • attrs from 18.2.0
  • packaging from 14.0
  • pre-commit from 1.0.0
• r2c.eslint ignores .min.js files. Bento should only report issues in code, not built artifacts.
• Telemetry endpoint uses bento.r2c.dev.

Added

• Bento check will optionally run only on passed paths, using bento check [path] ....
• Add r2c.pyre as a configurable tool. To enable, it must be manually configured in .bento.yml.
• Formatters can be specified with short names, and these appear in the help text. For example, bento check --formatter json.
• bento version is passed to telemetry backend.

Fixed

• Tool does not crash if a git user does not have an email configured.
• Fixed a regression that caused progress bars to hang after first tool completed.
• Made fully compatible with Python 3.6.
• Tool does not mangle .gitignore when that file lacks a trailing newline.