flake8-bandit

Warnings

• gotcha flake8-bandit uses a dedicated `.bandit` configuration file for fine-grained control over which security tests to include or exclude. This configuration is separate from Flake8's general configuration files (e.g., `.flake8`, `setup.cfg`).
  Fix: Create or modify a `.bandit` file in your project root to customize Bandit's behavior, for example: ```ini [bandit] exclude = /tests,/docs tests = S101,S102 ```
• gotcha flake8-bandit reports security issues using error codes prefixed with 'S' (e.g., S101, S501). Users familiar with Bandit's native output (which uses 'B' prefixes) or other Flake8 plugins might need to adjust their `ignore` or `per-file-ignores` rules in Flake8's configuration to match the 'S' prefix.
  Fix: When ignoring or selecting specific security rules, always refer to them with the 'S' prefix in your `.flake8`, `setup.cfg`, or `pyproject.toml` configuration (e.g., `ignore = S101`).

Install

• pip install flake8-bandit Install stable version

Quickstart

Install flake8-bandit and then simply run the `flake8` command on your Python project. flake8-bandit automatically registers itself and runs Bandit's security checks. You can configure specific Bandit tests using a `.bandit` configuration file in your project root.

# Install flake8-bandit (flake8 and bandit will be installed as dependencies)
pip install flake8-bandit

# Run flake8-bandit on your project (it integrates automatically with flake8)
# Example: Create a file named 'insecure_code.py'
# with content: 'import subprocess; subprocess.call("ls", shell=True)'
# Then run: flake8 insecure_code.py

# Expected output for the insecure_code.py example:
# insecure_code.py:1:22: S602 Use of subprocess.call with shell=True is insecure. Consider using subprocess.run with shell=False. (subprocess-run-with-shell-equals-true)