Skip to content

bandit

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

bandit checks for security risks

If you find it too harsh, you may define PYTHON_BANDIT_DISABLE_ERRORS: true in your .mega-linter.yml config file

bandit documentation

bandit - GitHub

Configuration in MegaLinter

Variable Description Default value
PYTHON_BANDIT_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
PYTHON_BANDIT_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
PYTHON_BANDIT_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
PYTHON_BANDIT_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
PYTHON_BANDIT_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
list_of_files
PYTHON_BANDIT_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".py"]
PYTHON_BANDIT_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
PYTHON_BANDIT_PRE_COMMANDS List of bash commands to run before the linter None
PYTHON_BANDIT_POST_COMMANDS List of bash commands to run after the linter None
PYTHON_BANDIT_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling PYTHON_BANDIT and its pre/post commands None
PYTHON_BANDIT_CONFIG_FILE bandit configuration file nameUse LINTER_DEFAULT to let the linter find it .bandit.yml
PYTHON_BANDIT_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
PYTHON_BANDIT_DISABLE_ERRORS Run linter but consider errors as warnings false
PYTHON_BANDIT_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
PYTHON_BANDIT_CLI_EXECUTABLE Override CLI executable ['bandit']

IDE Integration

Use bandit in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Atom bandit-lint Visit Web Site
Sublime Text SublimeLinter-bandit Visit Web Site
Visual Studio Code Native Support Visit Web Site

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 121 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .py

How the linting is performed

  • bandit is called once with the list of files as arguments (list_of_files CLI lint mode)

Example calls

bandit myfile.py
bandit --configfile .bandit.yml myfile.py

Help content

usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
              [-p PROFILE] [-t TESTS] [-s SKIPS]
              [-l | --severity-level {all,low,medium,high}]
              [-i | --confidence-level {all,low,medium,high}]
              [-f {csv,custom,html,json,sarif,sarif,screen,txt,xml,yaml}]
              [--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q]
              [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE]
              [--ini INI_PATH] [--exit-zero] [--version]
              [targets ...]

Bandit - a Python source code security analyzer

positional arguments:
  targets               source file(s) or directory(s) to be tested

options:
  -h, --help            show this help message and exit
  -r, --recursive       find and process files in subdirectories
  -a {file,vuln}, --aggregate {file,vuln}
                        aggregate output by vulnerability (default) or by
                        filename
  -n CONTEXT_LINES, --number CONTEXT_LINES
                        maximum number of code lines to output for each issue
  -c CONFIG_FILE, --configfile CONFIG_FILE
                        optional config file to use for selecting plugins and
                        overriding defaults
  -p PROFILE, --profile PROFILE
                        profile to use (defaults to executing all tests)
  -t TESTS, --tests TESTS
                        comma-separated list of test IDs to run
  -s SKIPS, --skip SKIPS
                        comma-separated list of test IDs to skip
  -l, --level           report only issues of a given severity level or higher
                        (-l for LOW, -ll for MEDIUM, -lll for HIGH)
  --severity-level {all,low,medium,high}
                        report only issues of a given severity level or
                        higher. "all" and "low" are likely to produce the same
                        results, but it is possible for rules to be undefined
                        which will not be listed in "low".
  -i, --confidence      report only issues of a given confidence level or
                        higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
  --confidence-level {all,low,medium,high}
                        report only issues of a given confidence level or
                        higher. "all" and "low" are likely to produce the same
                        results, but it is possible for rules to be undefined
                        which will not be listed in "low".
  -f {csv,custom,html,json,sarif,sarif,screen,txt,xml,yaml}, --format {csv,custom,html,json,sarif,sarif,screen,txt,xml,yaml}
                        specify output format
  --msg-template MSG_TEMPLATE
                        specify output message template (only usable with
                        --format custom), see CUSTOM FORMAT section for list
                        of available values
  -o [OUTPUT_FILE], --output [OUTPUT_FILE]
                        write report to filename
  -v, --verbose         output extra information like excluded and included
                        files
  -d, --debug           turn on debug mode
  -q, --quiet, --silent
                        only show output in the case of an error
  --ignore-nosec        do not skip lines with # nosec comments
  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        comma-separated list of paths (glob patterns
                        supported) to exclude from scan (note that these are
                        in addition to the excluded paths provided in the
                        config file) (default:
                        .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
  -b BASELINE, --baseline BASELINE
                        path of a baseline report to compare against (only
                        JSON-formatted files are accepted)
  --ini INI_PATH        path to a .bandit file that supplies command line
                        arguments
  --exit-zero           exit with 0, even with results found
  --version             show program's version number and exit

CUSTOM FORMATTING
-----------------

Available tags:

    {abspath}, {relpath}, {line}, {col}, {test_id},
    {severity}, {msg}, {confidence}, {range}

Example usage:

    Default template:
    bandit -r examples/ --format custom --msg-template \
    "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

    Provides same output as:
    bandit -r examples/ --format custom

    Tags can also be formatted in python string.format() style:
    bandit -r examples/ --format custom --msg-template \
    "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

    See python documentation for more information about formatting style:
    https://docs.python.org/3/library/string.html

The following tests were discovered and loaded:
-----------------------------------------------
  B101  assert_used
  B102  exec_used
  B103  set_bad_file_permissions
  B104  hardcoded_bind_all_interfaces
  B105  hardcoded_password_string
  B106  hardcoded_password_funcarg
  B107  hardcoded_password_default
  B108  hardcoded_tmp_directory
  B110  try_except_pass
  B112  try_except_continue
  B113  request_without_timeout
  B201  flask_debug_true
  B202  tarfile_unsafe_members
  B301  pickle
  B302  marshal
  B303  md5
  B304  ciphers
  B305  cipher_modes
  B306  mktemp_q
  B307  eval
  B308  mark_safe
  B310  urllib_urlopen
  B311  random
  B312  telnetlib
  B313  xml_bad_cElementTree
  B314  xml_bad_ElementTree
  B315  xml_bad_expatreader
  B316  xml_bad_expatbuilder
  B317  xml_bad_sax
  B318  xml_bad_minidom
  B319  xml_bad_pulldom
  B320  xml_bad_etree
  B321  ftplib
  B323  unverified_context
  B324  hashlib_insecure_functions
  B401  import_telnetlib
  B402  import_ftplib
  B403  import_pickle
  B404  import_subprocess
  B405  import_xml_etree
  B406  import_xml_sax
  B407  import_xml_expat
  B408  import_xml_minidom
  B409  import_xml_pulldom
  B410  import_lxml
  B411  import_xmlrpclib
  B412  import_httpoxy
  B413  import_pycrypto
  B415  import_pyghmi
  B501  request_with_no_cert_validation
  B502  ssl_with_bad_version
  B503  ssl_with_bad_defaults
  B504  ssl_with_no_version
  B505  weak_cryptographic_key
  B506  yaml_load
  B507  ssh_no_host_key_verification
  B508  snmp_insecure_version
  B509  snmp_weak_cryptography
  B601  paramiko_calls
  B602  subprocess_popen_with_shell_equals_true
  B603  subprocess_without_shell_equals_true
  B604  any_other_function_with_shell_equals_true
  B605  start_process_with_a_shell
  B606  start_process_with_no_shell
  B607  start_process_with_partial_path
  B608  hardcoded_sql_expressions
  B609  linux_commands_wildcard_injection
  B610  django_extra_used
  B611  django_rawsql_used
  B612  logging_config_insecure_listen
  B701  jinja2_autoescape_false
  B702  use_of_mako_templates
  B703  django_mark_safe

Installation on mega-linter Docker image