0
# Command Line Tools
1
2
Three CLI utilities for security scanning, configuration management, and baseline handling in development and CI/CD environments. These tools provide comprehensive command-line access to Bandit's security analysis capabilities.
3
4
## Capabilities
5
6
### bandit
7
8
Main security linter command for scanning Python code and generating security reports.
9
10
```bash { .api }
11
bandit [options] targets...
12
13
Options:
14
-r, --recursive Find and process files in subdirectories
15
-a AGGREGATE, --aggregate AGGREGATE
16
Aggregate output by vulnerability (default) or by filename
17
-f FORMAT, --format FORMAT
18
Output format (json, csv, custom, html, txt, xml, yaml, sarif, screen)
19
-o OUTPUT, --output OUTPUT
20
Write report to filename
21
-l, --level Report only issues of a given confidence level or higher
22
-i SEVERITY, --severity-level SEVERITY
23
Report only issues of a given severity level or higher
24
-c CONFIG_FILE, --config CONFIG_FILE
25
Optional config file to use for selecting plugins and overriding defaults
26
-p PROFILE, --profile PROFILE
27
Profile to use (defaults to all tests)
28
-t TESTS, --tests TESTS
29
Comma-separated list of test IDs to run
30
-s SKIPS, --skip SKIPS
31
Comma-separated list of test IDs to skip
32
-x EXCLUDE_PATHS, --exclude EXCLUDE_PATHS
33
Comma-separated list of paths to exclude from scan
34
--ignore-nosec Do not skip lines with # nosec comments
35
-b BASELINE, --baseline BASELINE
36
Path to baseline report (only report new issues)
37
--msg-template TEMPLATE
38
Specify output message template for custom formatter
39
-n CONTEXT_LINES, --number CONTEXT_LINES
40
Maximum number of code lines to output for each issue
41
-v, --verbose Output extra information like excluded and included files
42
--debug Turn on debug mode
43
-q, --quiet Only show output in the case of an error
44
--exit-zero Exit with 0, even with results found
45
--severity-level {all,low,medium,high}
46
Report only issues of a given severity level or higher
47
--confidence-level {all,low,medium,high}
48
Report only issues of a given confidence level or higher
49
50
Examples:
51
bandit example.py # Scan single file
52
bandit -r /path/to/project # Scan directory recursively
53
bandit -f json -o report.json *.py # JSON output to file
54
bandit --severity-level high *.py # High severity only
55
bandit -x tests/ -r src/ # Exclude tests directory
56
```
57
58
### bandit-config-generator
59
60
Generate Bandit configuration files with customized test profiles and settings.
61
62
```bash { .api }
63
bandit-config-generator [options]
64
65
Options:
66
-o OUTPUT, --output OUTPUT
67
Output file for generated config (default: stdout)
68
--severity-level {all,low,medium,high}
69
Set minimum severity level in config
70
--confidence-level {all,low,medium,high}
71
Set minimum confidence level in config
72
-t TESTS, --tests TESTS
73
Comma-separated list of test IDs to include
74
-s SKIPS, --skip SKIPS
75
Comma-separated list of test IDs to exclude
76
-p PROFILE, --profile PROFILE
77
Base profile for configuration generation
78
79
Examples:
80
bandit-config-generator # Generate default config
81
bandit-config-generator -o bandit.yaml # Save to file
82
bandit-config-generator --severity-level high # High severity tests only
83
bandit-config-generator -s B101,B601 # Skip specific tests
84
```
85
86
### bandit-baseline
87
88
Create and manage security baselines for tracking new issues over time.
89
90
```bash { .api }
91
bandit-baseline [options] targets...
92
93
Options:
94
-r, --recursive Find and process files in subdirectories
95
-a AGGREGATE, --aggregate AGGREGATE
96
Aggregate output by vulnerability (default) or by filename
97
-c CONFIG_FILE, --config CONFIG_FILE
98
Optional config file to use
99
-p PROFILE, --profile PROFILE
100
Profile to use (defaults to all tests)
101
-o OUTPUT, --output OUTPUT
102
Write baseline to filename (required)
103
-x EXCLUDE_PATHS, --exclude EXCLUDE_PATHS
104
Comma-separated list of paths to exclude
105
--ignore-nosec Do not skip lines with # nosec comments
106
-v, --verbose Output extra information
107
--debug Turn on debug mode
108
-q, --quiet Only show output in case of error
109
110
Examples:
111
bandit-baseline -r src/ -o baseline.json # Create baseline
112
bandit-baseline --config bandit.yaml -r . -o baseline.json # With config
113
```
114
115
## Usage Examples
116
117
### Basic Security Scanning
118
119
```bash
120
# Scan a single Python file
121
bandit suspicious_code.py
122
123
# Scan entire project recursively
124
bandit -r /path/to/python/project
125
126
# Scan with verbose output showing excluded files
127
bandit -r src/ --verbose
128
129
# Scan specific files with glob patterns
130
bandit src/**/*.py tests/**/*.py
131
```
132
133
### Output Format Options
134
135
```bash
136
# Generate JSON report
137
bandit -r src/ -f json -o security_report.json
138
139
# Generate HTML report for viewing in browser
140
bandit -r src/ -f html -o security_report.html
141
142
# Generate SARIF for GitHub security tab
143
bandit -r src/ -f sarif -o bandit.sarif
144
145
# Generate CSV for spreadsheet analysis
146
bandit -r src/ -f csv -o issues.csv
147
148
# Custom template output
149
bandit -r src/ -f custom --msg-template "File: {filename}, Issue: {msg}"
150
```
151
152
### Filtering and Severity Control
153
154
```bash
155
# Only high-severity issues
156
bandit -r src/ --severity-level high
157
158
# High-confidence issues only
159
bandit -r src/ --confidence-level high
160
161
# Combine severity and confidence filtering
162
bandit -r src/ --severity-level medium --confidence-level high
163
164
# Skip specific test types
165
bandit -r src/ --skip B101,B601,B404
166
167
# Run only specific tests
168
bandit -r src/ --tests B102,B608,B506
169
```
170
171
### Configuration and Profiles
172
173
```bash
174
# Use custom configuration file
175
bandit -r src/ --config custom_bandit.yaml
176
177
# Use built-in profile
178
bandit -r src/ --profile django
179
180
# Generate configuration file
181
bandit-config-generator --output bandit.yaml
182
183
# Generate config with specific test selection
184
bandit-config-generator --tests B101,B102,B601 --output security_tests.yaml
185
```
186
187
### Baseline Management
188
189
```bash
190
# Create baseline from current codebase
191
bandit-baseline -r src/ -o current_baseline.json
192
193
# Scan against baseline (only new issues)
194
bandit -r src/ --baseline current_baseline.json
195
196
# Update baseline after fixing issues
197
bandit-baseline -r src/ -o updated_baseline.json
198
199
# Generate baseline with specific configuration
200
bandit-baseline -r src/ --config bandit.yaml -o baseline.json
201
```
202
203
### Exclusion and Path Management
204
205
```bash
206
# Exclude specific directories
207
bandit -r . --exclude tests/,docs/,build/
208
209
# Exclude files matching patterns
210
bandit -r src/ --exclude "*/migrations/*,*/settings/*"
211
212
# Include specific paths only
213
bandit src/core/ src/utils/ src/api/
214
215
# Complex exclusion with recursive scanning
216
bandit -r . --exclude tests/,venv/,node_modules/,.git/
217
```
218
219
### CI/CD Integration Examples
220
221
```bash
222
# Jenkins/CI usage with exit codes
223
bandit -r src/ -f json -o bandit_report.json --exit-zero
224
225
# GitHub Actions with SARIF upload
226
bandit -r . -f sarif -o bandit.sarif --severity-level medium
227
228
# GitLab CI with XML output for test reporting
229
bandit -r src/ -f xml -o bandit.xml
230
231
# Azure DevOps with baseline comparison
232
bandit -r src/ --baseline baseline.json -f json -o new_issues.json
233
```
234
235
### Advanced Usage Patterns
236
237
```bash
238
# Quiet mode for automation (only errors)
239
bandit -r src/ --quiet -f json -o report.json
240
241
# Debug mode for troubleshooting
242
bandit -r src/ --debug --verbose
243
244
# Ignore nosec comments (scan everything)
245
bandit -r src/ --ignore-nosec
246
247
# Limit code context lines in output
248
bandit -r src/ -n 1 -f txt
249
250
# Aggregate by vulnerability type instead of file
251
bandit -r src/ --aggregate vuln -f json
252
253
# Custom message template for integration
254
bandit -r src/ -f custom --msg-template "{line}: {severity} - {msg}"
255
```
256
257
### Configuration File Generation
258
259
```bash
260
# Generate basic configuration
261
bandit-config-generator > .bandit
262
263
# Generate with specific settings
264
bandit-config-generator \
265
--severity-level medium \
266
--confidence-level high \
267
--skip B101,B404 \
268
--output bandit.yaml
269
270
# Generate profile-based configuration
271
bandit-config-generator --profile flask --output flask_security.yaml
272
```
273
274
### Integration with Version Control
275
276
```bash
277
# Pre-commit hook usage
278
bandit --exit-zero -r src/ -f txt
279
280
# Git hook for new changes only
281
git diff --name-only HEAD~1 HEAD | grep '\.py$' | xargs bandit
282
283
# Scan only staged files
284
git diff --cached --name-only --diff-filter=ACM | grep '\.py$' | xargs bandit
285
```