Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file builds an AST from it and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.
Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.
- Remove paramiko invoke_shell and fix example (#377) @ericwb
- Fix custom format argument handling (#380) @evqna
- Add release drafter template (#382) @evqna
- Add option -q, –quiet, –silent to hide output (#385) @ericwb
- Password (#387) @ehooo
- Properly handle nosec strings in code (#388) @ericwb
- Fix Pylint warning W0612: use of unused variables (#389) @ericwb
- No need to skip R0204: redefined-variable-type (#390) @ericwb
- Allow failures on dev branch of Python 3.8 (#392) @ericwb
- Fix more info line to be in color also (#408) @ericwb
- Add pre-commit config (#411) @KPilnacek
- Fix B611 doc title (#414) @paulopontesm
- Describe baseline and it’s usage in README (#415) @BillBrower
- Remove unneeded trailing paren in link (#416) @ericwb
- Add missing custom formatter doc (#406) (#421) @nixphix
- Fix terminal colors not displaying properly on Windows (#424) @GhostofGoes
- Fix sql injection check for f-strings (#434) @mikespallino
- Bump PyYAML minimum version to 3.13 (#432) @ericwb
- Supporting CSafeLoader in yaml.load plugin (#436) @domanchi
- Add a readthedocs build status badge (#440) @lukehinds
- Fix DeprecationWarning: invalid escape sequence (#441) @BoboTiG
- Fix ResourceWarning: unclosed file (#442) @BoboTiG
- check if ast.JoinedStr exists before using it (#446) @calvinli
- Fix context class (#449) @ehooo
- Interpret wildcards in the file exclusion list (#450) @thilp
- Fix typo in README (#451) @bitcoinhodler
- Redo logo on the README (#463) @ericwb
- Remove pycryptodome blacklist (#470) @mikespallino
- updated readme links for werkzeug debugger (#473) @soumitr-snowflake
virtualenv bandit-env (optional) pip install bandit
# Or if you’re working with a Python 3 projectpip3 install bandit
Bandit is designed to be configurable and cover a wide range of needs, it may be used as either a local developer utility or as part of a full CI/CD pipeline. To provide for these various usage scenarios bandit can be configured via a YAML file. This file is completely optional and in many cases not needed, it may be specified on the command line by using -c.
A bandit configuration file may choose the specific test plugins to run and override the default configurations of those tests. An example config might look like the following:
If you require several sets of tests for specific tasks, then you should create several config files and pick from them using -c. If you only wish to control the specific tests that are to be run (and not their parameters) then using -s or -t on the command line may be more appropriate.
The bandit config may contain optional lists of test IDs to either include (tests) or exclude (skips). These lists are equivalent to using -t and -s on the command line. If only tests are given then bandit will include only those tests, effectively excluding all other tests. If only skips are given then bandit will include all tests, not in the skips list. If both are given then bandit will include only tests in tests and then remove skips from that set. It is an error to include the same test ID in both tests and skips.
Note that command line options -t/-s can still be used in conjunction with tests and skips given in a config. The result is to concatenate -t with tests and likewise for -s and skips before working out the tests to run.
Generating a Config
Bandit ships the tool bandit-config-generator designed to take the legwork out of configuration. This tool can generate a configuration file automatically. The generated configuration will include default config blocks for all detected test and blacklist plugins. This data can then be deleted or edited as needed to produce a minimal config as desired. The config generator supports -t and -s command line options to specify a list of test IDs that should be included or excluded respectively. If no options are given then the generated config will not include tests or skips sections (but will provide a complete list of all test IDs for reference when editing).
Configuring Test Plugins
Bandit’s configuration file is written in YAML and options for each plugin test are provided under a section named to match the test method. For example, given a test plugin called ‘try_except_pass’ its configuration section might look like the following: