Remediate failing Bandit gate

Adds a #nosec exclusion to a known Bandit error that has been evaluated
as low severity, and included comments about how the severity is further
reduced.

Adds a target Python version for Bandit job so that it does not fail to
scan several more files that are not working with a Python 2 run of
Bandit.

Change-Id: I251abd092b3049a663b8758bbec0926f4b4836f7

src/bin/shipyard_airflow/shipyard_airflow/plugins/deckhand_create_site_action_tag.py

@@ -83,9 +83,13 @@ class DeckhandCreateSiteActionTagOperator(DeckhandBaseOperator):
 
         # Retrieve result of task execution
         #
-        # TODO(eanylin): Use Airflow API instead of CLI once the API is
-        # ready for consumption, i.e. no longer experimental
-        response = subprocess.run(
+        # Using nosec because:
+        #   1) this subprocess runs within the same container
+        #      that runs this code
+        #   2) has no input that is sourced from an external user
+        #   3) Is not supported via any API that is also accessible to this
+        #      container.
+        response = subprocess.run(  # nosec
             ['airflow',
              'task_state',
              self.main_dag_name,

src/bin/shipyard_airflow/tox.ini

@@ -35,6 +35,7 @@ commands = flake8 {posargs}
 
 [testenv:bandit]
 skipsdist=True
+basepython=python3
 commands =
   bandit \
   -r shipyard_airflow \

src/bin/shipyard_client/tox.ini

@@ -9,6 +9,7 @@ deps = -r{toxinidir}/requirements.txt
        -r{toxinidir}/test-requirements.txt
 
 [testenv:py35]
+skipsdist=True
 commands =
   pytest \
     {posargs} \
@@ -19,6 +20,7 @@ commands =
     --cov-report=html
 
 [testenv:py36]
+skipsdist=True
 commands =
   pytest \
     {posargs} \
@@ -33,6 +35,8 @@ basepython=python3
 commands = flake8 {posargs}
 
 [testenv:bandit]
+basepython=python3
+skipsdist=True
 commands =
   bandit \
   -r shipyard_client \