Move safety checks to new Zuul job

The pyup.io database that is used to check dependencies for
vulnerabilities in Spyglass is currently down. When first implemented,
this check was placed in the tox pep8 job. This change moves the
vulnerability check into its own Zuul job so it can be disabled in
instances such as this where the database is down.

Specifies basepython to python3 for safety and bandit jobs.

Change-Id: I4e13c5341a9e62095587ec1820be79a621380f09

.zuul.yaml

@@ -21,12 +21,14 @@
     check:
       jobs:
         - openstack-tox-pep8
+        - spyglass-dependency-vulnerability-check
         - spyglass-docker-build-gate-ubuntu_xenial
         - spyglass-docker-build-gate-ubuntu_bionic
         - spyglass-docker-build-gate-opensuse
     gate:
       jobs:
         - openstack-tox-pep8
+        - spyglass-dependency-vulnerability-check
         - spyglass-docker-build-gate-ubuntu_xenial
         - spyglass-docker-build-gate-ubuntu_bionic
         - spyglass-docker-build-gate-opensuse
@@ -43,6 +45,15 @@
       - name: primary
         label: ubuntu-xenial
 
+- job:
+    name: spyglass-dependency-vulnerability-check
+    parent: openstack-tox
+    voting: false
+    timeout: 600
+    nodeset: spyglass-single-node
+    vars:
+      tox_envlist: safety
+
 - job:
     name: spyglass-docker-build-gate-ubuntu_xenial
     timeout: 1800

tox.ini

@@ -1,5 +1,5 @@
 [tox]
-envlist = py36, py37, pep8, docs, cover
+envlist = py36, py37, pep8, safety, docs, cover
 minversion = 2.3.1
 skipsdist = True
 
@@ -39,12 +39,11 @@ commands =
   yapf -dr {toxinidir}/spyglass {toxinidir}/setup.py {toxinidir}/tests
   flake8 {toxinidir}/spyglass {toxinidir}/tests
   bandit -r spyglass -n 5
-  pipenv check
-  safety check -r {toxinidir}/doc/requirements.txt --bare
 whitelist_externals =
   bash
 
 [testenv:safety]
+basepython = python3
 deps =
   pipenv
   safety
@@ -54,6 +53,7 @@ commands =
   safety check -r {toxinidir}/doc/requirements.txt --full-report
 
 [testenv:bandit]
+basepython = python3
 deps =
     pipenv
 commands =