Add bandit in tox -e pep8

Add bandit tox environment and amend pep8 env to run it.
Also, fix bandit errors with "0.0.0.0".

Change-Id: Ieb5785abd945663e07c07f0ddd3d9a074004f46a
Closes-Bug: #1594423

test-requirements.txt

@@ -22,3 +22,6 @@ sphinxcontrib-pecanwsme>=0.8 # Apache-2.0
 
 # releasenotes
 reno>=1.6.2 # Apache2
+
+# bandit
+bandit>=1.0.1 # Apache-2.0

tox.ini

@@ -20,6 +20,7 @@ commands =
 commands =
     doc8 doc/source/ CONTRIBUTING.rst HACKING.rst README.rst
     flake8
+    bandit -r watcher -x tests -n5 -ll
 
 [testenv:venv]
 setenv = PYTHONHASHSEED=0
@@ -61,3 +62,7 @@ ignore-path=doc/source/image_src,doc/source/man,doc/source/api
 
 [testenv:releasenotes]
 commands = sphinx-build -a -W -E -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
+
+[testenv:bandit]
+deps = -r{toxinidir}/test-requirements.txt
+commands = bandit -r watcher -x tests -n5 -ll

watcher/api/app.py

@@ -30,7 +30,7 @@ API_SERVICE_OPTS = [
                 default=9322,
                 help=_('The port for the watcher API server')),
     cfg.StrOpt('host',
-               default='0.0.0.0',
+               default='127.0.0.1',
                help=_('The listen IP for the watcher API server')),
     cfg.IntOpt('max_limit',
                default=1000,

watcher/api/config.py

@@ -22,7 +22,7 @@ from watcher.api import hooks
 # See https://pecan.readthedocs.org/en/latest/configuration.html#server-configuration # noqa
 server = {
     'port': '9322',
-    'host': '0.0.0.0'
+    'host': '127.0.0.1'
 }
 
 # Pecan Application Configurations

watcher/cmd/api.py

@@ -38,8 +38,8 @@ def main():
     server = service.WSGIService(
         'watcher-api', CONF.api.enable_ssl_api)
 
-    if host == '0.0.0.0':
+    if host == '127.0.0.1':
-        LOG.info(_LI('serving on 0.0.0.0:%(port)s, '
+        LOG.info(_LI('serving on 127.0.0.1:%(port)s, '
                      'view at %(protocol)s://127.0.0.1:%(port)s') %
                  dict(protocol=protocol, port=port))
     else: