Bento 0.8: Updated workflows and new specialty checks

Changes to Bento’s default behavior integrate it more smoothly into your workflow

In Bento 0.8, we’ve significantly reduced its file footprint and tuned its default behavior for individual use, rather than something that requires team-wide adoption. We also made Bento’s source code publicly available, shipped more new checks, and made a number of usability improvements.

☀️ New Bento behavior

Consistent feedback is leading us to change Bento’s out-of-the-box behavior. In user research interviews and GitHub issues over the past month we’ve consistently heard that Bento’s file footprint and modification of Git state made it challenging to adopt. v0.8 emphasizes an incremental and personal, rather than team-wide, workflow that makes Bento a smaller commitment to use:

  1. Other project contributors won’t see Bento’s files and their workflows won’t change. Bento is just for you.

  2. You no longer need to manually run Bento. After initialization Bento will automatically check for issues in your code as you commit, analyzing only the files that have changed.

  3. You won’t see a project’s tech debt during initialization. It’s still there for you though when you’re ready to take a peek and tackle it with your team.

Bento can also analyze all the code in your project or its paths with:

1$ bento check --all [PATHS]

Learn more about our approach to personal and team-wide use, including how to configure Bento for CI, in this blog post.

📈 New Speciality Checks

We’ve added four new specialty checks this release and enabled Docker and shell file checking. See for full documentation.

For Flask:

  • missing-jwt-token: when using JSON Web Tokens (JWT) for authentication in web services, this check detects cases where authentication decorators may be missing from certain routes and recommends their usage for API data security

  • use-blueprint-for-modularity: recommends using Blueprint when there are too many route handlers in a single file. Blueprint encourages modularity and can greatly simplify how large applications work and provide a central means for Flask extensions to register operations on applications. See Modular Applications with Flask.

For Click:

🧪 Focusing on the Flask Community

We’re pausing our JavaScript and TypeScript support and focusing on using Bento on Python web applications, in particular Flask. In the near-term our program analysis efforts will be on writing specialty checks for Flask and its extensions, and we’ll return to JS/TS later in the year. As a small team, we know the best tool will come from being obsessed with one community at a time, and it’s a hard decision for us to pause work on JS/TS. You’ll still be able to use ESLint and our curated defaults in Bento, but it won’t be enabled out-of-the-box. You can turn it on via: $ bento enable tool eslint

This release brings a lot of change to Bento. Please don’t hesitate to reach out to us for support or discussion via or on Slack.

Happy coding, The Bento Team


Semgrep Logo

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.

Get started in minutesBook a demo