tessl/pypi-bandit
Security oriented static analyser for python code.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-bandit@1.8.0index.mddocs/
Bandit
A security-oriented static analysis tool designed to find common security issues in Python code. Bandit processes AST representations of Python source code and runs security-focused plugins against AST nodes to identify potential vulnerabilities including hardcoded passwords, SQL injection, shell injection, and weak cryptographic implementations.
Package Information
- Package Name: bandit
- Language: Python
- Installation:
pip install bandit - Extra dependencies:
pip install bandit[yaml,toml,baseline,sarif]for additional features
Core Imports
import bandit
from bandit.core import manager, config, context, issueFor CLI usage:
from bandit.cli import mainFor programmatic usage:
from bandit.core.manager import BanditManager
from bandit.core.config import BanditConfigBasic Usage
Command Line Interface
# Scan a single file
bandit example.py
# Scan a directory recursively
bandit -r /path/to/project
# Generate JSON report
bandit -r /path/to/project -f json -o report.json
# Exclude specific tests
bandit -r /path/to/project --skip B101,B601
# Use baseline to ignore existing issues
bandit-baseline -r /path/to/project -o baseline.json
bandit -r /path/to/project -b baseline.jsonProgrammatic Usage
from bandit.core import manager, config
# Create configuration
conf = config.BanditConfig()
# Create manager
b_mgr = manager.BanditManager(conf, 'file')
# Discover and scan files
b_mgr.discover_files(['/path/to/code'])
b_mgr.run_tests()
# Get filtered results
issues = b_mgr.get_issue_list(sev_level='MEDIUM', conf_level='HIGH')
# Print results
for issue in issues:
print(f"{issue.fname}:{issue.lineno} - {issue.text}")Architecture
Bandit's plugin-based architecture enables extensible security analysis:
- Core Manager: Central orchestrator (
BanditManager) that coordinates scanning workflow - Configuration System: YAML-based configuration with profile support (
BanditConfig) - Context Analysis: AST node analysis providing call context and import tracking (
Context) - Plugin System: 60+ built-in security tests with decorator-based registration system
- Issue Management: Structured vulnerability reporting with CWE mapping (
Issue,Cwe) - Multiple Output Formats: JSON, XML, HTML, SARIF, CSV, YAML formatters for CI/CD integration
Capabilities
Core Management
Central scanning orchestration and configuration management. The BanditManager coordinates file discovery, test execution, and result filtering, while BanditConfig handles YAML configuration files and scanning profiles.
class BanditManager:
def __init__(self, config, agg_type, debug=False, verbose=False, quiet=False, profile=None, ignore_nosec=False): ...
def discover_files(self, targets, recursive=False): ...
def run_tests(self): ...
def get_issue_list(self, sev_level='LOW', conf_level='LOW'): ...
class BanditConfig:
def __init__(self, config_file=None): ...
def get_option(self, option_string): ...
def get_setting(self, setting_name): ...Issue Reporting
Comprehensive security issue representation with Common Weakness Enumeration (CWE) support. Issues include severity levels, confidence ratings, source code context, and structured metadata for integration with security tools.
class Issue:
def __init__(self, severity, cwe=0, confidence='UNDEFINED', text="", ident=None, lineno=None, test_id="", col_offset=-1, end_col_offset=0): ...
def filter(self, severity, confidence): ...
def get_code(self, max_lines=3, tabbed=False): ...
def as_dict(self, with_code=True, max_lines=3): ...
class Cwe:
def __init__(self, id=999): ...
def link(self): ...
def as_dict(self): ...Context Analysis
AST node analysis and import tracking during security test execution. Context provides access to function call information, string literals, and module import patterns essential for accurate vulnerability detection.
class Context:
def __init__(self, context_object=None): ...
@property
def call_function_name(self): ...
@property
def call_function_name_qual(self): ...
@property
def call_args(self): ...
@property
def call_keywords(self): ...
def is_module_being_imported(self, module): ...Plugin Development
Framework for creating custom security tests using decorators and the plugin registration system. Supports AST node type filtering, configuration integration, and test identification.
def checks(*args): ...
def test_id(id_val): ...
def takes_config(name=None): ...
def accepts_baseline(*args): ...Output Formatters
Multiple report formats for different use cases and CI/CD integration. Formatters support severity filtering, confidence thresholds, and baseline comparison for security reporting workflows.
def report(manager, fileobj, sev_level, conf_level, lines): ...Available formatters: JSON, XML, HTML, SARIF, CSV, YAML, screen, custom template-based
Command Line Tools
Three CLI utilities for security scanning, configuration management, and baseline handling in development and CI/CD environments.
bandit [options] targets...
bandit-config-generator [options]
bandit-baseline [options] targets...Extension Management
Plugin system management for loading and validating security tests, formatters, and blacklist handlers. Provides centralized plugin registry and validation.
class Manager:
def __init__(self, formatters_namespace="bandit.formatters", plugins_namespace="bandit.plugins", blacklists_namespace="bandit.blacklists"): ...
def load_formatters(self, formatters_namespace): ...
def load_plugins(self, plugins_namespace): ...
def validate_profile(self, profile): ...
def get_plugin_by_id(self, plugin_id): ...
# Global plugin manager instance
MANAGER = ... # Available from bandit.core.extension_loaderUtility Functions
AST analysis and code inspection utilities for security test development and advanced usage.
def get_call_name(node, aliases): ... # Extract function call name with alias resolution
def get_func_name(node): ... # Get function name from AST node
def get_qual_attr(node, aliases): ... # Get qualified attribute with aliases
def deepgetattr(obj, attr): ... # Deep attribute access with dot notation
def check_ast_node(node_type): ... # Validate AST node typeConstants
# Severity and confidence levels
HIGH = "HIGH"
MEDIUM = "MEDIUM"
LOW = "LOW"
UNDEFINED = "UNDEFINED"
# Ranking values for filtering
RANKING_VALUES = {
"UNDEFINED": 1,
"LOW": 3,
"MEDIUM": 5,
"HIGH": 10
}
# File exclusion patterns
EXCLUDE = (".svn", "CVS", ".bzr", ".hg", ".git", "__pycache__", ".tox", ".eggs", "*.egg")
# Values considered false in static analysis
FALSE_VALUES = [None, False, "False", 0, 0.0, 0j, "", (), [], {}]
# Default confidence level
CONFIDENCE_DEFAULT = "UNDEFINED"