We recently started to use Bandit, a tool for finding potential security issues in Python projects. The experience setting it up has been quite good so far, and it’s now running as a pre-commit hook as well as in our CI system.
To install it from pip, just run:
$ pip install banditTo scan the whole project recursively:
$ bandit -r .Use the the level flag to filter out the issues with the highest severity:
$ bandit -r . -lllTo exclude some directories from being scanned a config file named .bandit can be used:
[bandit]
exclude: /testFalse positives can be ignored either inline with a comment directly in the code, by turning off the test globally or by using a baseline file in .json format to compare against. We went with the comment approach, since it provides a good opportunity to explain why a warning is suppressed as well.
Example from the bandit documentation:
self.process = subprocess.Popen('/bin/echo', shell=True) # nosecSince you typically want some automation in place for a security scanner like this, Bandit provides a pre-commit hook ready to use. Note that if you exclude folders in your config, you currently need to exclude that in the pre-commit config as well.
dhk 
One thought on “Finding security issues in Python code with Bandit”