Free program analysis focused on bugs that matter to you.
Project description
Free program analysis focused on bugs that matter to you.
Install, configure, and adopt Bento in seconds. Runs 100% locally.
Installation · Motivations · Usage · CI/CD · Help & Community
Bento is a free and opinionated toolkit for gradually adopting linters¹ and program analysis² in your codebase. Be the bug-squashing advocate your team needs but (maybe) doesn’t deserve.
- Find bugs that matter. Bento automatically enables and configures relevant analysis based on your dependencies and frameworks, and it will never report style-related issues. You won’t painstakingly configure your tooling.
- Get started immediately. Bento doesn’t force you to fix all your preexisting issues today. Instead, you can archive them and address them incrementally when it makes sense for your project.
- Go fast. Bento installs in 5 seconds and self-configures in less than 30. Its tools check your code in parallel, not sequentially.
Bento includes checks written by r2c and curated from Bandit, ESLint, Flake8, and their plugins. It runs on your local machine and never sends your code anywhere or to anyone.
Installation
$ pip3 install bento-cli
Bento is for JavaScript, TypeScript, and Python 3 projects. It requires Python 3.6+ and works on macOS Mojave (10.14) and Ubuntu 18.04+.
Motivations
See our Bento introductory blog post to learn the full story.
r2c is on a quest to make world-class security and bugfinding available to all developers, for free. We’ve learned that most developers have never heard of—let alone tried—tools that find deep flaws in code: like Codenomicon, which found Heartbleed, or Zoncolan at Facebook, which finds more top-severity security issues than any human effort. These tools find severe issues and also save tons of time, identifying hundreds of thousands of issues before humans can. Bento is a step towards universal access to tools like these.
We’re also big proponents of opinionated tools like Black and Prettier. This has two implications: Bento ignores style-related issues and the bikeshedding that comes with them, and it ships with a curated set of checks that we believe are high signal and bug-worthy. See Three things your linter shouldn’t tell you for more details on our decision making process.
Usage
To get started right away with sensible defaults:
$ bento init && bento check
To set aside preexisting results so you only see issues in new code:
$ bento archive
Bento is at its best when run automatically as a Git pre-commit hook (i.e. bento install-hook
) or as part of CI.
Command Line Options
$ bento --help
Usage: bento [OPTIONS] COMMAND [ARGS]...
Options:
--version Show current Bento version.
--agree Automatically agree to terms of service.
--help Show this message and exit.
Commands:
archive Adds all current findings to the whitelist.
check Checks for new findings.
disable Disables a check.
enable Enables a check.
init Autodetects and installs tools.
install-hook Installs Bento as a git pre-commit hook.
Exit Codes
bento check
may exit with the following exit codes:
0
: Bento ran successfully and found no errors2
: Bento ran successfully and found issues in your code3
: Bento or one of its underlying tools failed to run
Running Bento in CI
If you use CircleCI, add the following job:
version: 2.1
jobs:
bentoCheck:
executor: circleci/python:3.7.4-stretch-node
steps:
- checkout
- run:
name: "Install Bento"
command: pip3 install bento-cli && bento --version
- run:
name: "Run Bento check"
command: bento --agree --email <YOUR_EMAIL> check
Otherwise, you can simply install and run Bento in CI with the following commands:
pip3 install bento-cli && bento --version
bento --agree --email <YOUR_EMAIL> check
bento check
will exit with a non-zero exit code if it finds issues in your code (see Exit Codes). You can run bento --agree --email <YOUR_EMAIL> check || true
if you'd like to prevent Bento from blocking your build. Otherwise, address the issues or unblock yourself by running bento archive
.
Please open an issue if you need help setting up Bento with another CI provider. If you set up Bento with your provider of choice, we’d appreciate a PR to add instructions here!
Help and Community
Need help or want to share feedback? We’d love to hear from you!
- Email us at support@r2c.dev
- Join #bento in our community Slack
- File an issue or submit a feature request directly on GitHub — we welcome them all!
We’re constantly shipping new features and improvements.
- Sign up for the Bento newsletter — we promise not to spam and you can unsubscribe at any time
- See past announcements, releases, and issues here
We’re fortunate to benefit from the contributions of the open source community and great projects such as Bandit, ESLint, Flake8, and their plugins. 🙏
License and Legal
Please refer to the terms and privacy document.
Copyright (c) r2c.
Changelog
This project adheres to Semantic Versioning.
0.6.1 - 2019-11-26
Fixed
- Bento no longer completes initialization if it can't identify a project; this prevents
confusing errors when subsequently running
bento check
. - Pinned versions of all 3rd-party Python tools, so that remote package upgrades do not break Bento.
- Bento no longer crashes if a project path contains a space.
Changed
- Results of
bento check
are now printed using the Clippy and histogram formatters (see "Added" section below) by default. - The APIs to enable and disable a check are now
bento enable check [check]
andbento disable check [check]
. - The
r2c.flask
tool is now enabled by default. It finds best-practice and security bugs in code using the Python Flask framework. - Multiple formatters can now be used to display results from
bento check
. For example,bento check -f stylish -f histo
will display results using the Stylish formatter, followed by display using a histogram formatter. - Progress bars are not emitted to stderr if not a tty; this prevents progress-bar output from littering CI logs.
- Updated progress bar glyphs for readability on a wider range of terminal themes.
- Disabled
r2c.flake8
checkB001
by default, in favor of the (also included)E722
check.
Added
- Added
r2c.requests
, which finds best-practice and security bugs in code using the Python Requests framework. It is enabled by default. - Added
r2c.sgrep
, a syntactically aware code search tool. It is not enabled by default. To use it on a project, runbento enable tool r2c.sgrep
. Note that Docker is required in order to user2c.sgrep
. - All findings, including those previously archived, can now be viewed using
bento check --show-all
. - Tools can now be enabled using
bento enable tool [tool_id]
. Available tools can be listed by runningbento enable tool --help
or using shell autocompletion. Tools can be disabled usingbento disable tool [tool_id]
.
0.6.0
Version 0.6.0 was not released.
0.5.0 - 2019-11-18
Fixed
r2c.eslint
now properly detects TypeScript imports.r2c.eslint
now detects global node environments (e.g.,jest
), and properly resolves their global variables.
Changed
- To better protect users' data, error messages are no longer reported to our backend.
.bentoignore
can now be configured to include patterns from other files; by default the contents of the project's.gitignore
are included. For more information, please see the comments at the top of the generated.bentoignore
file.- Tab completion times reduced by approximately half.
- Disabled a number of
r2c.eslint
checks by default:arrow-parens
, as it conflicts with Prettier's default behavior.- TypeScript semicolon checking, which is stylistic.
import/no-cycle
which takes 50% of tool runtime on moderately large code bases.
r2c.flake8 E306
disabled by default, as it is stylistic in nature.- Runtime of
r2c.eslint
has been reduced by up to 30% for some projects.
Added
- Added
r2c.shellcheck
tool for shell scripts. To enable, addr2c.shellcheck
to the tools section of your.bento.yml
. Note that this tool requiresdocker
as a dependency. - Added
r2c.hadolint
tool for Docker files. To enable, addr2c.hadolint
to the tools section of your.bento.yml
. Note that this tool requiresdocker
to be installed in order to run.
0.4.1 - 2019-11-14
Fixed
- Fixes a performance regression due to changes in metrics collection.
0.4.0 - 2019-11-11
Changed
- We updated our privacy policy.
- Notably, we collect email addresses to understand usage and communicate with users through product announcements, technical notices, updates, security alerts, and support messages.
Added
-
Added additional
r2c.click
tool for Click framework:- flake8-click will be disabled by default.
-
Added additional
r2c.flask
tool for Flask framework:- flake8-flask will be disabled by default.
0.3.1 - 2019-11-08
Fixed
- Fixed an issue where the tool would fail to install if a macOS user
had installed
gcc
and then upgraded their OS. - Fixed a compatibility issue for users with a pre-existing version of GitPython with version between 2.1.1 and 2.1.13.
0.3.0 - 2019-11-01
Changed
- Bento can now be run from any subdirectory within a project.
- Updated the privacy and terms-of-service statement.
Added
-
File ignores are configurable via git-style ignore patterns (include patterns are not supported). Patterns should be added to
.bentoignore
. -
Added additional checks to the
r2c.flake8
tool:- All checks from flake8-bugbear (except for B009 and B010, which are stylistic in nature).
- All checks from flake8-builtins.
- All checks from flake8-debugger.
- All checks from flake8-executable.
-
Clippy output formatting is now supported.
- To enable, run:
bento check --formatter clippy
- Example output:
- To enable, run:
error: r2c.flake8.E113
--> foo.py:6:5
|
6 | return x
|
= note: unexpected indentation
- Autocompletion is now supported from both
bash
andzsh
. To use:- In
bash
, runecho -e '\neval "$(_BENTO_COMPLETE=source bento)"' >> ~/.bashrc
. - In
zsh
, runecho -e '\neval "$(_BENTO_COMPLETE=source_zsh bento)"' >> ~/.zshrc
.
- In
0.2.1 - 2019-10-29
Fixed
- Quoted emails in git configuration do not break user registration.
- Removed files properly invalidate results cache.
- Python tools do not crawl
node_modules
.
0.2.0 - 2019-10-23
Changed
- Results are cached between runs. This means that an immediate rerun of
bento
will be much faster. - Broadened library compatibility, especially for common packages:
- attrs from 18.2.0
- packaging from 14.0
- pre-commit from 1.0.0
r2c.eslint
ignores.min.js
files. Bento should only report issues in code, not built artifacts.- Telemetry endpoint uses
bento.r2c.dev
.
Added
- Bento check will optionally run only on passed paths, using
bento check [path] ...
. - Add
r2c.pyre
as a configurable tool. To enable, it must be manually configured in.bento.yml
. - Formatters can be specified with short names, and these appear in the help text. For example,
bento check --formatter json
. bento
version is passed to telemetry backend.
Fixed
- Tool does not crash if a git user does not have an email configured.
- Fixed a regression that caused progress bars to hang after first tool completed.
- Made fully compatible with Python 3.6.
- Tool does not mangle
.gitignore
when that file lacks a trailing newline.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file bento-cli-0.6.1.tar.gz
.
File metadata
- Download URL: bento-cli-0.6.1.tar.gz
- Upload date:
- Size: 70.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/2.0.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.6.0 requests-toolbelt/0.9.1 tqdm/4.36.1 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | b66c69b25f55da76cb5f813fc9800a0d26e30fe77e25392e12efbbfe51eb2e7f |
|
MD5 | f2a6337282ee8033fc4620bb55fee1f4 |
|
BLAKE2b-256 | f23695fd0dd9427e4f1404623f13a0c6eba92e60690dfacc58951a3d9d746eb9 |
File details
Details for the file bento_cli-0.6.1-py3-none-any.whl
.
File metadata
- Download URL: bento_cli-0.6.1-py3-none-any.whl
- Upload date:
- Size: 89.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/2.0.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.6.0 requests-toolbelt/0.9.1 tqdm/4.36.1 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a436a29874a9c2ce60e335760198e0dd0a82f638aeb755a3e7f734f18b86cf39 |
|
MD5 | 761f9f57117820df43f3c9d358c53f0e |
|
BLAKE2b-256 | fdb7bc4d6bff31794d48e1c04dfb3b06bc4b4a3a0044b900abf0bc4831ba54f0 |