bandit

bandit checks for security risks

If you find it too harsh, you may define PYTHON_BANDIT_DISABLE_ERRORS: true in your .mega-linter.yml config file

bandit documentation

Version in MegaLinter: 1.7.5
Visit Official Web Site
See How to configure bandit rules
- If custom .bandit.yml config file isn't found, .bandit.yml will be used
See How to disable bandit rules in files
See Index of problems detected by bandit

Configuration in MegaLinter

Enable bandit by adding PYTHON_BANDIT in ENABLE_LINTERS variable
Disable bandit by adding PYTHON_BANDIT in DISABLE_LINTERS variable

Variable	Description	Default value
PYTHON_BANDIT_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
PYTHON_BANDIT_FILTER_REGEX_INCLUDE	Custom regex including filter Ex: `(src\\|lib)`	Include every file
PYTHON_BANDIT_FILTER_REGEX_EXCLUDE	Custom regex excluding filter Ex: `(test\\|examples)`	Exclude no file
PYTHON_BANDIT_CLI_LINT_MODE	Override default CLI lint mode - `file`: Calls the linter for each file - `list_of_files`: Call the linter with the list of files as argument - `project`: Call the linter from the root of the project	`list_of_files`
PYTHON_BANDIT_FILE_EXTENSIONS	Allowed file extensions. `"*"` matches any extension, `""` matches empty extension. Empty list excludes all files Ex: `[".py", ""]`	`[".py"]`
PYTHON_BANDIT_FILE_NAMES_REGEX	File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: `["Dockerfile(-.+)?", "Jenkinsfile"]`	Include every file
PYTHON_BANDIT_PRE_COMMANDS	List of bash commands to run before the linter	None
PYTHON_BANDIT_POST_COMMANDS	List of bash commands to run after the linter	None
PYTHON_BANDIT_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling PYTHON_BANDIT and its pre/post commands	None
PYTHON_BANDIT_CONFIG_FILE	bandit configuration file nameUse `LINTER_DEFAULT` to let the linter find it	`.bandit.yml`
PYTHON_BANDIT_RULES_PATH	Path where to find linter configuration file	Workspace folder, then MegaLinter default rules
PYTHON_BANDIT_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
PYTHON_BANDIT_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
PYTHON_BANDIT_CLI_EXECUTABLE	Override CLI executable	`['bandit']`

IDE Integration

Use bandit in your favorite IDE to catch errors before MegaLinter !

IDE	Extension Name	Install
Atom	bandit-lint	Visit Web Site
Sublime Text	SublimeLinter-bandit	Visit Web Site
Visual Studio Code	Native Support	Visit Web Site

MegaLinter Flavours

This linter is available in the following flavours

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	117
python	Optimized for PYTHON based projects	62
security	Optimized for security	24

Behind the scenes

How are identified applicable files

File extensions: .py

How the linting is performed

bandit is called once with the list of files as arguments (list_of_files CLI lint mode)

Example calls

bandit myfile.py

bandit --configfile .bandit.yml myfile.py

Help content

usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
              [-p PROFILE] [-t TESTS] [-s SKIPS]
              [-l | --severity-level {all,low,medium,high}]
              [-i | --confidence-level {all,low,medium,high}]
              [-f {csv,custom,html,json,sarif,screen,txt,xml,yaml}]
              [--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q]
              [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE]
              [--ini INI_PATH] [--exit-zero] [--version]
              [targets ...]

Bandit - a Python source code security analyzer

positional arguments:
  targets               source file(s) or directory(s) to be tested

options:
  -h, --help            show this help message and exit
  -r, --recursive       find and process files in subdirectories
  -a {file,vuln}, --aggregate {file,vuln}
                        aggregate output by vulnerability (default) or by
                        filename
  -n CONTEXT_LINES, --number CONTEXT_LINES
                        maximum number of code lines to output for each issue
  -c CONFIG_FILE, --configfile CONFIG_FILE
                        optional config file to use for selecting plugins and
                        overriding defaults
  -p PROFILE, --profile PROFILE
                        profile to use (defaults to executing all tests)
  -t TESTS, --tests TESTS
                        comma-separated list of test IDs to run
  -s SKIPS, --skip SKIPS
                        comma-separated list of test IDs to skip
  -l, --level           report only issues of a given severity level or higher
                        (-l for LOW, -ll for MEDIUM, -lll for HIGH)
  --severity-level {all,low,medium,high}
                        report only issues of a given severity level or
                        higher. "all" and "low" are likely to produce the same
                        results, but it is possible for rules to be undefined
                        which will not be listed in "low".
  -i, --confidence      report only issues of a given confidence level or
                        higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
  --confidence-level {all,low,medium,high}
                        report only issues of a given confidence level or
                        higher. "all" and "low" are likely to produce the same
                        results, but it is possible for rules to be undefined
                        which will not be listed in "low".
  -f {csv,custom,html,json,sarif,screen,txt,xml,yaml}, --format {csv,custom,html,json,sarif,screen,txt,xml,yaml}
                        specify output format
  --msg-template MSG_TEMPLATE
                        specify output message template (only usable with
                        --format custom), see CUSTOM FORMAT section for list
                        of available values
  -o [OUTPUT_FILE], --output [OUTPUT_FILE]
                        write report to filename
  -v, --verbose         output extra information like excluded and included
                        files
  -d, --debug           turn on debug mode
  -q, --quiet, --silent
                        only show output in the case of an error
  --ignore-nosec        do not skip lines with # nosec comments
  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        comma-separated list of paths (glob patterns
                        supported) to exclude from scan (note that these are
                        in addition to the excluded paths provided in the
                        config file) (default:
                        .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
  -b BASELINE, --baseline BASELINE
                        path of a baseline report to compare against (only
                        JSON-formatted files are accepted)
  --ini INI_PATH        path to a .bandit file that supplies command line
                        arguments
  --exit-zero           exit with 0, even with results found
  --version             show program's version number and exit

CUSTOM FORMATTING
-----------------

Available tags:

    {abspath}, {relpath}, {line}, {col}, {test_id},
    {severity}, {msg}, {confidence}, {range}

Example usage:

    Default template:
    bandit -r examples/ --format custom --msg-template \
    "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

    Provides same output as:
    bandit -r examples/ --format custom

    Tags can also be formatted in python string.format() style:
    bandit -r examples/ --format custom --msg-template \
    "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

    See python documentation for more information about formatting style:
    https://docs.python.org/3/library/string.html

The following tests were discovered and loaded:
-----------------------------------------------
  B101  assert_used
  B102  exec_used
  B103  set_bad_file_permissions
  B104  hardcoded_bind_all_interfaces
  B105  hardcoded_password_string
  B106  hardcoded_password_funcarg
  B107  hardcoded_password_default
  B108  hardcoded_tmp_directory
  B110  try_except_pass
  B112  try_except_continue
  B113  request_without_timeout
  B201  flask_debug_true
  B202  tarfile_unsafe_members
  B301  pickle
  B302  marshal
  B303  md5
  B304  ciphers
  B305  cipher_modes
  B306  mktemp_q
  B307  eval
  B308  mark_safe
  B310  urllib_urlopen
  B311  random
  B312  telnetlib
  B313  xml_bad_cElementTree
  B314  xml_bad_ElementTree
  B315  xml_bad_expatreader
  B316  xml_bad_expatbuilder
  B317  xml_bad_sax
  B318  xml_bad_minidom
  B319  xml_bad_pulldom
  B320  xml_bad_etree
  B321  ftplib
  B323  unverified_context
  B324  hashlib_insecure_functions
  B401  import_telnetlib
  B402  import_ftplib
  B403  import_pickle
  B404  import_subprocess
  B405  import_xml_etree
  B406  import_xml_sax
  B407  import_xml_expat
  B408  import_xml_minidom
  B409  import_xml_pulldom
  B410  import_lxml
  B411  import_xmlrpclib
  B412  import_httpoxy
  B413  import_pycrypto
  B415  import_pyghmi
  B501  request_with_no_cert_validation
  B502  ssl_with_bad_version
  B503  ssl_with_bad_defaults
  B504  ssl_with_no_version
  B505  weak_cryptographic_key
  B506  yaml_load
  B507  ssh_no_host_key_verification
  B508  snmp_insecure_version
  B509  snmp_weak_cryptography
  B601  paramiko_calls
  B602  subprocess_popen_with_shell_equals_true
  B603  subprocess_without_shell_equals_true
  B604  any_other_function_with_shell_equals_true
  B605  start_process_with_a_shell
  B606  start_process_with_no_shell
  B607  start_process_with_partial_path
  B608  hardcoded_sql_expressions
  B609  linux_commands_wildcard_injection
  B610  django_extra_used
  B611  django_rawsql_used
  B612  logging_config_insecure_listen
  B701  jinja2_autoescape_false
  B702  use_of_mako_templates
  B703  django_mark_safe

Installation on mega-linter Docker image

PIP packages (Python):