Error when adding bandit command to MakeFile : make: *** [bandit] Error 1

Question

I would like to incorporate Bandit security tests into my current Python project and add the command to my MakeFile.

In my Makefile, I added the following code:

.PHONY: bandit
bandit:
    pip install bandit && bandit -c pyproject.toml -r . --confidence-level high -f json -q

When I run the commands pip install bandit and bandit -c pyproject.toml -r . --confidence-level high -f json -q in my project directory, there are no errors and the output is as expected. However, when I place it into the Makefile and run make bandit, I receive the error of make: *** [bandit] Error 1.

Why am I receiving this error? As I am adding the make command to my Github Actions file, this also causes an error in the Actions pipeline.

Besides the error message, the output is what I am expecting and is correct. I receive a bandit report on my command line.

Thank you in advance!

Answer 1

The way make works is it runs your command in a shell and waits for it to exit. When your command exits, make looks at the exit code and if it's success (0) then it believes that the command worked. if it's failure (anything that's not 0) then it believes the command failed.

In your example:

make: *** [bandit] Error 1

means that make invoked the recipe for the target bandit, and that recipe exited with an exit code of 1, not 0, so make considers it failed. If you ran the command from the shell and printed its exit code:

$ pip install bandit && bandit -c pyproject.toml -r . --confidence-level high -f json -q
$ echo $?

you'll see it prints 1 as the exit code, not 0.

I can't explain why your bandit command is not exiting with success. If you can't change that you can "trick" make into believing that it succeeded anyway by adding another command that succeeds, like:

.PHONY: bandit
bandit:
        pip install bandit && bandit -c pyproject.toml -r . --confidence-level high -f json -q; true

This is a bad idea though, because it means if your command really does fail make won't know. Better is to figure out how to make the command succeed (exit with 0).