{"library":"bandit","title":"Bandit","description":"Bandit is an open-source security-oriented static analyser for Python code, designed to find common security issues early in the development lifecycle. It processes each file, builds an Abstract Syntax Tree (AST) from it, and runs a set of security-focused plugins against the AST nodes, generating reports with severity and confidence levels. Maintained by the PyCQA community, Bandit is currently at version 1.9.4 and requires Python >=3.10. Its release cadence focuses on compatibility updates and rule maintenance, indicating a stable and actively supported utility.","status":"active","version":"1.9.4","language":"en","source_language":"en","source_url":"https://github.com/PyCQA/bandit","tags":["security","static analysis","linter","code quality","devsecops"],"install":[{"cmd":"pip install bandit","lang":"bash","label":"Core Installation"},{"cmd":"pip install bandit[toml]","lang":"bash","label":"With TOML configuration support"},{"cmd":"pip install bandit[baseline]","lang":"bash","label":"With baseline report support"}],"dependencies":[],"imports":[],"quickstart":{"code":"# Save this as vulnerable_app.py\nimport os\nimport subprocess\n\ndef execute_command(command_str):\n    # B602: subprocess_popen_with_shell_equals_true - High severity, high confidence\n    subprocess.call(command_str, shell=True) \n\ndef process_user_input(user_input):\n    # B307: eval - High severity, high confidence\n    eval(user_input)\n\nif __name__ == \"__main__\":\n    print(\"Creating a dummy vulnerable file for Bandit scan.\")\n    with open(\"dummy_code.py\", \"w\") as f:\n        f.write(\"import subprocess\\n\")\n        f.write(\"command = os.environ.get('UNSAFE_COMMAND', 'ls -l')\\n\")\n        f.write(\"subprocess.call(command, shell=True)\\n\")\n\n    print(\"Now run Bandit from your terminal:\")\n    print(\"bandit -r .\\n\")\n    print(\"Or specifically on the dummy file:\")\n    print(\"bandit dummy_code.py\\n\")\n    print(\"Example output will show security issues like B602.\")\n\n# To clean up after running:\n# os.remove(\"dummy_code.py\")\n","lang":"python","description":"Bandit is primarily a command-line tool. To quickly scan your code for security issues, you first create a Python file, and then run Bandit against it. This example creates a dummy file with common vulnerabilities and instructs on how to run Bandit."},"warnings":[{"fix":"Avoid `shell=True`. Instead, pass commands and arguments as a list (e.g., `subprocess.call(['ls', '-l'])`). If `shell=True` is unavoidable, ensure all user-supplied input is rigorously sanitized.","message":"Using `subprocess` calls with `shell=True` (e.g., `subprocess.call(command, shell=True)`) is a major security vulnerability (B602) if the `command` string is derived from untrusted input, as it enables shell injection attacks.","severity":"breaking","affected_versions":"All versions"},{"fix":"Replace `assert` statements used for critical logic with proper exception handling (e.g., `raise ValueError(...)` or `raise AssertionError(...)`).","message":"The Python `assert` statement (B101) should not be used for security-critical checks or enforcing interface constraints in production code. Asserts are removed when Python is run with optimizations (`python -O`), which can bypass security controls.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Review each reported issue carefully. Use inline comments like `# nosec` to suppress specific findings that are confirmed false positives or acceptable risks, documenting the reason for suppression.","message":"Bandit can produce false positives, requiring manual review of reported issues. The tool's output provides severity and confidence levels to help prioritize findings, but human judgment is still necessary.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Integrate Bandit into your CI/CD pipeline for comprehensive scans on pull requests or merges. For local development, consider running it less frequently, targeting specific files, or configuring it to only fail on high-severity issues.","message":"Running Bandit recursively on large codebases can be time-consuming and impact development workflow if integrated as a blocking pre-commit hook for every change.","severity":"gotcha","affected_versions":"All versions"},{"fix":"For YAML or TOML configurations, always run Bandit with `bandit -c your_config.yaml -r .` or `bandit -c pyproject.toml -r .`. Ensure the configuration file path is correct.","message":"When using configuration files (`.bandit`, `bandit.yaml`, `pyproject.toml`), only `.bandit` (INI format) is automatically discovered when running `bandit -r`. For YAML or TOML files, you must explicitly specify them using the `-c` flag.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-05T00:00:00.000Z","next_check":"2026-07-04T00:00:00.000Z"}