From 248dd64c51bdd0009805f30f66129a4d4daf92ff Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Tue, 14 Apr 2026 12:40:34 -0400
Subject: [PATCH] Suppress bandit B602 false positive in admin CLI tool

subprocess shell=True is intentional: cmd is a ceph/SSH command
built internally, not from untrusted user input. Admin-only tool.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 ceph_osd_analyzer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ceph_osd_analyzer.py b/ceph_osd_analyzer.py
index 0cb752b..498669d 100644
--- a/ceph_osd_analyzer.py
+++ b/ceph_osd_analyzer.py
@@ -37,7 +37,7 @@ def run_command(cmd, parse_json=False, host=None):
         if DEBUG:
             print(f"{Colors.CYAN}DEBUG: Running: {cmd}{Colors.END}")
         
-        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)
+        result = subprocess.run(cmd, shell=True, capture_output=True, text=True, check=True)  # nosec B602 — admin-only CLI tool; cmd is ceph/ssh commands built internally
         if parse_json:
             return json.loads(result.stdout)
         return result.stdout.strip()