tessl/pypi-bandit
Security oriented static analyser for python code.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
command-line-tools.mddocs/
Command Line Tools
Three CLI utilities for security scanning, configuration management, and baseline handling in development and CI/CD environments. These tools provide comprehensive command-line access to Bandit's security analysis capabilities.
Capabilities
bandit
Main security linter command for scanning Python code and generating security reports.
bandit [options] targets...
Options:
-r, --recursive Find and process files in subdirectories
-a AGGREGATE, --aggregate AGGREGATE
Aggregate output by vulnerability (default) or by filename
-f FORMAT, --format FORMAT
Output format (json, csv, custom, html, txt, xml, yaml, sarif, screen)
-o OUTPUT, --output OUTPUT
Write report to filename
-l, --level Report only issues of a given confidence level or higher
-i SEVERITY, --severity-level SEVERITY
Report only issues of a given severity level or higher
-c CONFIG_FILE, --config CONFIG_FILE
Optional config file to use for selecting plugins and overriding defaults
-p PROFILE, --profile PROFILE
Profile to use (defaults to all tests)
-t TESTS, --tests TESTS
Comma-separated list of test IDs to run
-s SKIPS, --skip SKIPS
Comma-separated list of test IDs to skip
-x EXCLUDE_PATHS, --exclude EXCLUDE_PATHS
Comma-separated list of paths to exclude from scan
--ignore-nosec Do not skip lines with # nosec comments
-b BASELINE, --baseline BASELINE
Path to baseline report (only report new issues)
--msg-template TEMPLATE
Specify output message template for custom formatter
-n CONTEXT_LINES, --number CONTEXT_LINES
Maximum number of code lines to output for each issue
-v, --verbose Output extra information like excluded and included files
--debug Turn on debug mode
-q, --quiet Only show output in the case of an error
--exit-zero Exit with 0, even with results found
--severity-level {all,low,medium,high}
Report only issues of a given severity level or higher
--confidence-level {all,low,medium,high}
Report only issues of a given confidence level or higher
Examples:
bandit example.py # Scan single file
bandit -r /path/to/project # Scan directory recursively
bandit -f json -o report.json *.py # JSON output to file
bandit --severity-level high *.py # High severity only
bandit -x tests/ -r src/ # Exclude tests directorybandit-config-generator
Generate Bandit configuration files with customized test profiles and settings.
bandit-config-generator [options]
Options:
-o OUTPUT, --output OUTPUT
Output file for generated config (default: stdout)
--severity-level {all,low,medium,high}
Set minimum severity level in config
--confidence-level {all,low,medium,high}
Set minimum confidence level in config
-t TESTS, --tests TESTS
Comma-separated list of test IDs to include
-s SKIPS, --skip SKIPS
Comma-separated list of test IDs to exclude
-p PROFILE, --profile PROFILE
Base profile for configuration generation
Examples:
bandit-config-generator # Generate default config
bandit-config-generator -o bandit.yaml # Save to file
bandit-config-generator --severity-level high # High severity tests only
bandit-config-generator -s B101,B601 # Skip specific testsbandit-baseline
Create and manage security baselines for tracking new issues over time.
bandit-baseline [options] targets...
Options:
-r, --recursive Find and process files in subdirectories
-a AGGREGATE, --aggregate AGGREGATE
Aggregate output by vulnerability (default) or by filename
-c CONFIG_FILE, --config CONFIG_FILE
Optional config file to use
-p PROFILE, --profile PROFILE
Profile to use (defaults to all tests)
-o OUTPUT, --output OUTPUT
Write baseline to filename (required)
-x EXCLUDE_PATHS, --exclude EXCLUDE_PATHS
Comma-separated list of paths to exclude
--ignore-nosec Do not skip lines with # nosec comments
-v, --verbose Output extra information
--debug Turn on debug mode
-q, --quiet Only show output in case of error
Examples:
bandit-baseline -r src/ -o baseline.json # Create baseline
bandit-baseline --config bandit.yaml -r . -o baseline.json # With configUsage Examples
Basic Security Scanning
# Scan a single Python file
bandit suspicious_code.py
# Scan entire project recursively
bandit -r /path/to/python/project
# Scan with verbose output showing excluded files
bandit -r src/ --verbose
# Scan specific files with glob patterns
bandit src/**/*.py tests/**/*.pyOutput Format Options
# Generate JSON report
bandit -r src/ -f json -o security_report.json
# Generate HTML report for viewing in browser
bandit -r src/ -f html -o security_report.html
# Generate SARIF for GitHub security tab
bandit -r src/ -f sarif -o bandit.sarif
# Generate CSV for spreadsheet analysis
bandit -r src/ -f csv -o issues.csv
# Custom template output
bandit -r src/ -f custom --msg-template "File: {filename}, Issue: {msg}"Filtering and Severity Control
# Only high-severity issues
bandit -r src/ --severity-level high
# High-confidence issues only
bandit -r src/ --confidence-level high
# Combine severity and confidence filtering
bandit -r src/ --severity-level medium --confidence-level high
# Skip specific test types
bandit -r src/ --skip B101,B601,B404
# Run only specific tests
bandit -r src/ --tests B102,B608,B506Configuration and Profiles
# Use custom configuration file
bandit -r src/ --config custom_bandit.yaml
# Use built-in profile
bandit -r src/ --profile django
# Generate configuration file
bandit-config-generator --output bandit.yaml
# Generate config with specific test selection
bandit-config-generator --tests B101,B102,B601 --output security_tests.yamlBaseline Management
# Create baseline from current codebase
bandit-baseline -r src/ -o current_baseline.json
# Scan against baseline (only new issues)
bandit -r src/ --baseline current_baseline.json
# Update baseline after fixing issues
bandit-baseline -r src/ -o updated_baseline.json
# Generate baseline with specific configuration
bandit-baseline -r src/ --config bandit.yaml -o baseline.jsonExclusion and Path Management
# Exclude specific directories
bandit -r . --exclude tests/,docs/,build/
# Exclude files matching patterns
bandit -r src/ --exclude "*/migrations/*,*/settings/*"
# Include specific paths only
bandit src/core/ src/utils/ src/api/
# Complex exclusion with recursive scanning
bandit -r . --exclude tests/,venv/,node_modules/,.git/CI/CD Integration Examples
# Jenkins/CI usage with exit codes
bandit -r src/ -f json -o bandit_report.json --exit-zero
# GitHub Actions with SARIF upload
bandit -r . -f sarif -o bandit.sarif --severity-level medium
# GitLab CI with XML output for test reporting
bandit -r src/ -f xml -o bandit.xml
# Azure DevOps with baseline comparison
bandit -r src/ --baseline baseline.json -f json -o new_issues.jsonAdvanced Usage Patterns
# Quiet mode for automation (only errors)
bandit -r src/ --quiet -f json -o report.json
# Debug mode for troubleshooting
bandit -r src/ --debug --verbose
# Ignore nosec comments (scan everything)
bandit -r src/ --ignore-nosec
# Limit code context lines in output
bandit -r src/ -n 1 -f txt
# Aggregate by vulnerability type instead of file
bandit -r src/ --aggregate vuln -f json
# Custom message template for integration
bandit -r src/ -f custom --msg-template "{line}: {severity} - {msg}"Configuration File Generation
# Generate basic configuration
bandit-config-generator > .bandit
# Generate with specific settings
bandit-config-generator \
--severity-level medium \
--confidence-level high \
--skip B101,B404 \
--output bandit.yaml
# Generate profile-based configuration
bandit-config-generator --profile flask --output flask_security.yamlIntegration with Version Control
# Pre-commit hook usage
bandit --exit-zero -r src/ -f txt
# Git hook for new changes only
git diff --name-only HEAD~1 HEAD | grep '\.py$' | xargs bandit
# Scan only staged files
git diff --cached --name-only --diff-filter=ACM | grep '\.py$' | xargs banditInstall with Tessl CLI
npx tessl i tessl/pypi-bandit