My Python script has to run binary available only via console, so I use subprocess.run and it looks like this:
CMD = [
"C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe",
"/gd",
f"[{ARGS.projectName}]\\{ARGS.groupName}",
f"/collection:{ARGS.organization}",
]
DELETE_OUTPUT = subprocess.run(
CMD, check=True, stdout=subprocess.PIPE, shell=True
).stdout.decode("utf-8")
print(f"[DEBUG] DELETE_OUTPUT: {DELETE_OUTPUT}")
It works fine, but Bandit reports some issues:
[B404:blacklist] Consider possible security implications associated with subprocess module.
[B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue
Is there a way to run CLI in the more secure way to make Bandit happy?