Bandit
Bandit finds common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report.
You can use this cookiecutter template to create a python project with bandit
already configured.
Installation⚑
pip install bandit
Usage⚑
Ignore an error.⚑
Add the # nosec
comment in the line.
Configuration⚑
You can run bandit through:
-
Pre-commit:
File: .pre-commit-config.yaml
repos: - repo: https://github.com/Lucas-C/pre-commit-hooks-bandit rev: v1.0.4 hooks: - id: python-bandit-vulnerability-check
bandit takes a lot of time to run, so it slows down too much the commiting, therefore it should be run only in the CI.
-
Github Actions: Make sure to check that the correct python version is applied.
File: .github/workflows/security.yml
name: Security on: [push, pull_request] jobs: bandit: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - uses: actions/setup-python@v2 with: python-version: 3.7 - name: Install dependencies run: pip install bandit - name: Execute bandit run: bandit -r project
References⚑
Last update: 2021-01-05