Bandit finds common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.
You can use this cookiecutter template to create a python project with
bandit already configured.
pip install bandit
Ignore an error.⚑
# nosec comment in the line.
You can run bandit through:
repos: - repo: https://github.com/Lucas-C/pre-commit-hooks-bandit rev: v1.0.4 hooks: - id: python-bandit-vulnerability-check
bandit takes a lot of time to run, so it slows down too much the commiting, therefore it should be run only in the CI.
Github Actions: Make sure to check that the correct python version is applied.
name: Security on: [push, pull_request] jobs: bandit: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - uses: actions/setup-python@v2 with: python-version: 3.7 - name: Install dependencies run: pip install bandit - name: Execute bandit run: bandit -r project