ruff/crates/ruff_linter/resources/test/fixtures/flake8_bandit/S603.py

from subprocess import Popen, call, check_call, check_output, run

# Different Popen wrappers are checked.
a = input()
Popen(a, shell=False)
call(a, shell=False)
check_call(a, shell=False)
check_output(a, shell=False)
run(a, shell=False)

# Falsey values are treated as false.
Popen(a, shell=0)
Popen(a, shell=[])
Popen(a, shell={})
Popen(a, shell=None)

# Unknown values are treated as falsey.
Popen(a, shell=True if True else False)

# No value is also caught.
Popen(a)

# Literals are fine, they're trusted.
run("true")
Popen(["true"])
Popen("true", shell=False)
call("true", shell=False)
check_call("true", shell=False)
check_output("true", shell=False)
run("true", shell=False)

# Not through assignments though.
cmd = ["true"]
run(cmd)

# Instant named expressions are fine.
run(c := "true")

# But non-instant are not.
(e := "echo")
run(e)