bandit
bandit checks for security risks
If you find it too harsh, you may define PYTHON_BANDIT_DISABLE_ERRORS: true
in your .mega-linter.yml
config file
bandit documentation
- Version in MegaLinter: 1.8.0
- Visit Official Web Site
- See How to configure bandit rules
- If custom
.bandit.yml
config file isn't found, .bandit.yml will be used
- If custom
- See How to disable bandit rules in files
- See Index of problems detected by bandit
Configuration in MegaLinter
- Enable bandit by adding
PYTHON_BANDIT
in ENABLE_LINTERS variable - Disable bandit by adding
PYTHON_BANDIT
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
PYTHON_BANDIT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
PYTHON_BANDIT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
PYTHON_BANDIT_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
PYTHON_BANDIT_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
PYTHON_BANDIT_CLI_LINT_MODE | Override default CLI lint mode - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
list_of_files |
PYTHON_BANDIT_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".py"] |
PYTHON_BANDIT_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
PYTHON_BANDIT_PRE_COMMANDS | List of bash commands to run before the linter | None |
PYTHON_BANDIT_POST_COMMANDS | List of bash commands to run after the linter | None |
PYTHON_BANDIT_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling PYTHON_BANDIT and its pre/post commands | None |
PYTHON_BANDIT_CONFIG_FILE | bandit configuration file nameUse LINTER_DEFAULT to let the linter find it |
.bandit.yml |
PYTHON_BANDIT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
PYTHON_BANDIT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
PYTHON_BANDIT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
PYTHON_BANDIT_CLI_EXECUTABLE | Override CLI executable | ['bandit'] |
IDE Integration
Use bandit in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Atom | bandit-lint | Visit Web Site | |
Sublime Text | SublimeLinter-bandit | Visit Web Site | |
Visual Studio Code | Native Support | Visit Web Site |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
python | Optimized for PYTHON based projects | 62 | ||
security | Optimized for security | 24 |
Behind the scenes
How are identified applicable files
- File extensions:
.py
How the linting is performed
- bandit is called once with the list of files as arguments (
list_of_files
CLI lint mode)
Example calls
bandit myfile.py
bandit --configfile .bandit.yml myfile.py
Help content
usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
[-p PROFILE] [-t TESTS] [-s SKIPS]
[-l | --severity-level {all,low,medium,high}]
[-i | --confidence-level {all,low,medium,high}]
[-f {csv,custom,html,json,sarif,sarif,screen,txt,xml,yaml}]
[--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q]
[--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE]
[--ini INI_PATH] [--exit-zero] [--version]
[targets ...]
Bandit - a Python source code security analyzer
positional arguments:
targets source file(s) or directory(s) to be tested
options:
-h, --help show this help message and exit
-r, --recursive find and process files in subdirectories
-a {file,vuln}, --aggregate {file,vuln}
aggregate output by vulnerability (default) or by
filename
-n CONTEXT_LINES, --number CONTEXT_LINES
maximum number of code lines to output for each issue
-c CONFIG_FILE, --configfile CONFIG_FILE
optional config file to use for selecting plugins and
overriding defaults
-p PROFILE, --profile PROFILE
profile to use (defaults to executing all tests)
-t TESTS, --tests TESTS
comma-separated list of test IDs to run
-s SKIPS, --skip SKIPS
comma-separated list of test IDs to skip
-l, --level report only issues of a given severity level or higher
(-l for LOW, -ll for MEDIUM, -lll for HIGH)
--severity-level {all,low,medium,high}
report only issues of a given severity level or
higher. "all" and "low" are likely to produce the same
results, but it is possible for rules to be undefined
which will not be listed in "low".
-i, --confidence report only issues of a given confidence level or
higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
--confidence-level {all,low,medium,high}
report only issues of a given confidence level or
higher. "all" and "low" are likely to produce the same
results, but it is possible for rules to be undefined
which will not be listed in "low".
-f {csv,custom,html,json,sarif,sarif,screen,txt,xml,yaml}, --format {csv,custom,html,json,sarif,sarif,screen,txt,xml,yaml}
specify output format
--msg-template MSG_TEMPLATE
specify output message template (only usable with
--format custom), see CUSTOM FORMAT section for list
of available values
-o [OUTPUT_FILE], --output [OUTPUT_FILE]
write report to filename
-v, --verbose output extra information like excluded and included
files
-d, --debug turn on debug mode
-q, --quiet, --silent
only show output in the case of an error
--ignore-nosec do not skip lines with # nosec comments
-x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
comma-separated list of paths (glob patterns
supported) to exclude from scan (note that these are
in addition to the excluded paths provided in the
config file) (default:
.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
-b BASELINE, --baseline BASELINE
path of a baseline report to compare against (only
JSON-formatted files are accepted)
--ini INI_PATH path to a .bandit file that supplies command line
arguments
--exit-zero exit with 0, even with results found
--version show program's version number and exit
CUSTOM FORMATTING
-----------------
Available tags:
{abspath}, {relpath}, {line}, {col}, {test_id},
{severity}, {msg}, {confidence}, {range}
Example usage:
Default template:
bandit -r examples/ --format custom --msg-template \
"{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"
Provides same output as:
bandit -r examples/ --format custom
Tags can also be formatted in python string.format() style:
bandit -r examples/ --format custom --msg-template \
"{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"
See python documentation for more information about formatting style:
https://docs.python.org/3/library/string.html
The following tests were discovered and loaded:
-----------------------------------------------
B101 assert_used
B102 exec_used
B103 set_bad_file_permissions
B104 hardcoded_bind_all_interfaces
B105 hardcoded_password_string
B106 hardcoded_password_funcarg
B107 hardcoded_password_default
B108 hardcoded_tmp_directory
B110 try_except_pass
B112 try_except_continue
B113 request_without_timeout
B201 flask_debug_true
B202 tarfile_unsafe_members
B301 pickle
B302 marshal
B303 md5
B304 ciphers
B305 cipher_modes
B306 mktemp_q
B307 eval
B308 mark_safe
B310 urllib_urlopen
B311 random
B312 telnetlib
B313 xml_bad_cElementTree
B314 xml_bad_ElementTree
B315 xml_bad_expatreader
B316 xml_bad_expatbuilder
B317 xml_bad_sax
B318 xml_bad_minidom
B319 xml_bad_pulldom
B320 xml_bad_etree
B321 ftplib
B323 unverified_context
B324 hashlib_insecure_functions
B401 import_telnetlib
B402 import_ftplib
B403 import_pickle
B404 import_subprocess
B405 import_xml_etree
B406 import_xml_sax
B407 import_xml_expat
B408 import_xml_minidom
B409 import_xml_pulldom
B410 import_lxml
B411 import_xmlrpclib
B412 import_httpoxy
B413 import_pycrypto
B415 import_pyghmi
B501 request_with_no_cert_validation
B502 ssl_with_bad_version
B503 ssl_with_bad_defaults
B504 ssl_with_no_version
B505 weak_cryptographic_key
B506 yaml_load
B507 ssh_no_host_key_verification
B508 snmp_insecure_version
B509 snmp_weak_cryptography
B601 paramiko_calls
B602 subprocess_popen_with_shell_equals_true
B603 subprocess_without_shell_equals_true
B604 any_other_function_with_shell_equals_true
B605 start_process_with_a_shell
B606 start_process_with_no_shell
B607 start_process_with_partial_path
B608 hardcoded_sql_expressions
B609 linux_commands_wildcard_injection
B610 django_extra_used
B611 django_rawsql_used
B612 logging_config_insecure_listen
B613 trojansource
B614 pytorch_load_save
B701 jinja2_autoescape_false
B702 use_of_mako_templates
B703 django_mark_safe
Installation on mega-linter Docker image
- PIP packages (Python):