Silence bandit paranoia on certain lines

remove --out from harvest examples with remote mode, in README
2025-12-17 19:05:07 +11:00 · 2025-12-17 19:03:31 +11:00
4 changed files with 8 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -259,10 +259,10 @@ On the host (root recommended to harvest as much data as possible):
 ```bash
 enroll harvest --out /tmp/enroll-harvest
 ```
-### Remote harvest over SSH (no enroll install required on the remote host)
+### Remote harvest over SSH (no enroll install required on the remote host, no need for --out)

 ```bash
-enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest
+enroll harvest --remote-host myhost.example.com --remote-user myuser
 ```

 ### `--dangerous` (captures potentially sensitive files — read the warning above)
@ -274,7 +274,7 @@ enroll harvest --out /tmp/enroll-harvest --dangerous
 Remote + dangerous:

 ```bash
-enroll harvest --remote-host myhost.example.com --remote-user myuser --out /tmp/enroll-harvest --dangerous
+enroll harvest --remote-host myhost.example.com --remote-user myuser --dangerous
 ```

 ### `--sops` (encrypt bundles at rest)
--- a/enroll/manifest.py
+++ b/enroll/manifest.py
@ -567,7 +567,7 @@ def _tar_dir_to_with_progress(
            cols = shutil.get_terminal_size((80, 20)).columns
            msg = msg[: cols - 1]
        except Exception:
-            pass
+            pass # nosec
        os.write(2, ("\r" + msg).encode("utf-8", errors="replace"))

    with tarfile.open(tar_path, mode="w:gz") as tf:
--- a/enroll/remote.py
+++ b/enroll/remote.py
@ -200,7 +200,7 @@ def remote_harvest(

            # Stream a tarball back to the local machine (avoid creating a tar file on the remote).
            cmd = f"tar -cz -C {rbundle} ."
-            _stdin, stdout, stderr = ssh.exec_command(cmd)
+            _stdin, stdout, stderr = ssh.exec_command(cmd) # nosec
            with open(local_tgz, "wb") as f:
                while True:
                    chunk = stdout.read(1024 * 128)
--- a/enroll/sopsutil.py
+++ b/enroll/sopsutil.py
@ -2,7 +2,7 @@ from __future__ import annotations

 import os
 import shutil
-import subprocess
+import subprocess # nosec
 import tempfile
 from pathlib import Path
 from typing import Iterable, List, Optional
@ -62,7 +62,7 @@ def encrypt_file_binary(
        ],
        capture_output=True,
        check=False,
-    )
+    ) # nosec
    if res.returncode != 0:
        raise SopsError(
            "sops encryption failed:\n"
@ -112,7 +112,7 @@ def decrypt_file_binary_to(
        ],
        capture_output=True,
        check=False,
-    )
+    ) # nosec
    if res.returncode != 0:
        raise SopsError(
            "sops decryption failed:\n"
Author	SHA1	Message	Date
Miguel Jacq	62ec8e8b1b	Silence bandit paranoia on certain lines Some checks failed CI / test (push) Successful in 5m24s Details Lint / test (push) Failing after 29s Details Trivy / test (push) Successful in 20s Details	2025-12-17 19:05:07 +11:00
Miguel Jacq	9ebd8ff990	remove --out from harvest examples with remote mode, in README	2025-12-17 19:03:31 +11:00