Bandit

1.9.4 · active · verified Sun Apr 05

Bandit is an open-source security-oriented static analyser for Python code, designed to find common security issues early in the development lifecycle. It processes each file, builds an Abstract Syntax Tree (AST) from it, and runs a set of security-focused plugins against the AST nodes, generating reports with severity and confidence levels. Maintained by the PyCQA community, Bandit is currently at version 1.9.4 and requires Python >=3.10. Its release cadence focuses on compatibility updates and rule maintenance, indicating a stable and actively supported utility.

Warnings

breaking Using `subprocess` calls with `shell=True` (e.g., `subprocess.call(command, shell=True)`) is a major security vulnerability (B602) if the `command` string is derived from untrusted input, as it enables shell injection attacks.
Fix: Avoid `shell=True`. Instead, pass commands and arguments as a list (e.g., `subprocess.call(['ls', '-l'])`). If `shell=True` is unavoidable, ensure all user-supplied input is rigorously sanitized.
gotcha The Python `assert` statement (B101) should not be used for security-critical checks or enforcing interface constraints in production code. Asserts are removed when Python is run with optimizations (`python -O`), which can bypass security controls.
Fix: Replace `assert` statements used for critical logic with proper exception handling (e.g., `raise ValueError(...)` or `raise AssertionError(...)`).
gotcha Bandit can produce false positives, requiring manual review of reported issues. The tool's output provides severity and confidence levels to help prioritize findings, but human judgment is still necessary.
Fix: Review each reported issue carefully. Use inline comments like `# nosec` to suppress specific findings that are confirmed false positives or acceptable risks, documenting the reason for suppression.
gotcha Running Bandit recursively on large codebases can be time-consuming and impact development workflow if integrated as a blocking pre-commit hook for every change.
Fix: Integrate Bandit into your CI/CD pipeline for comprehensive scans on pull requests or merges. For local development, consider running it less frequently, targeting specific files, or configuring it to only fail on high-severity issues.
gotcha When using configuration files (`.bandit`, `bandit.yaml`, `pyproject.toml`), only `.bandit` (INI format) is automatically discovered when running `bandit -r`. For YAML or TOML files, you must explicitly specify them using the `-c` flag.
Fix: For YAML or TOML configurations, always run Bandit with `bandit -c your_config.yaml -r .` or `bandit -c pyproject.toml -r .`. Ensure the configuration file path is correct.

Install

pip install bandit Core Installation
pip install bandit[toml] With TOML configuration support
pip install bandit[baseline] With baseline report support

Quickstart

Bandit is primarily a command-line tool. To quickly scan your code for security issues, you first create a Python file, and then run Bandit against it. This example creates a dummy file with common vulnerabilities and instructs on how to run Bandit.

# Save this as vulnerable_app.py
import os
import subprocess

def execute_command(command_str):
    # B602: subprocess_popen_with_shell_equals_true - High severity, high confidence
    subprocess.call(command_str, shell=True) 

def process_user_input(user_input):
    # B307: eval - High severity, high confidence
    eval(user_input)

if __name__ == "__main__":
    print("Creating a dummy vulnerable file for Bandit scan.")
    with open("dummy_code.py", "w") as f:
        f.write("import subprocess\n")
        f.write("command = os.environ.get('UNSAFE_COMMAND', 'ls -l')\n")
        f.write("subprocess.call(command, shell=True)\n")

    print("Now run Bandit from your terminal:")
    print("bandit -r .\n")
    print("Or specifically on the dummy file:")
    print("bandit dummy_code.py\n")
    print("Example output will show security issues like B602.")

# To clean up after running:
# os.remove("dummy_code.py")

view raw JSON →