config is not in effect from pyproject.toml?

[yarikoptic]

New to bandit here, thought to give it a try but can't make it just alert on HIGH confidence/impact issues: I have in my pyproject.toml

❯ grep -A 4 tool.bandit pyproject.toml
[tool.bandit]
# Set the severity and confidence levels
severity = "HIGH"
confidence = "HIGH"
skip = ["B101"]

but when I do a sample run, I still get those lower severity ones for that test code:

❯ bandit -c pyproject.toml dandi/move.py | head -n 12
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	using config: pyproject.toml
[main]	INFO	running on Python 3.13.2
Run started:2025-03-13 21:43:07.442386

Test results:
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.8.4.dev12/plugins/b101_assert_used.html
   Location: ./dandi/move.py:459:12
458	                continue
459	            assert isinstance(df, LocalAsset)
460	            relpath = posixpath.relpath(df.path, self.subpath.as_posix())

what am I doing wrong?

PS might somewhat relate to #606 since it seems I am doing what the bible says but still come out a sinner ...

[sitsofe]

(I'm a random passerby so please take the following with a pinch of salt as it could be wildly wrong)

TLDR; severity and confidence can't be set in a configuration files - only ini files or on the command line.

Longer explanation
Looking through main() in cli/main.py shows that command line arguments are read using argparse and ultimately parsed into the args variable whereas ini configuration is read using _get_options_from_ini which then used to override command line arguments in the same args variable. "Configuration files" (such as pyproject.toml) are read into the separate b_conf variable by BanditConfig. Back in main() you can see that things like severity and confidence are only taken from the args so there is no chance they would be influenced by something in a configuration file. The non-support of severity and confidence is alluded to in the configuration documentation which lists only a limited number of non-plugin "arguments" supported in configuration files.

what am I doing wrong?

You were trying set options/arguments that only work on the command or in ini files within a pyproject.toml file where they will just end up being ignored (like you I learned that this doesn't work the hard way).