Bandit – Find Common Security Vulnerabilities in Python Code

Bandit is a tool designed to find common security issues in Python code. To do this the tool processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

The tool was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Bandit - Find Common Security Issues in Python Code
Bandit – Find Common Security Issues in Python Code

Bandit supports many different tests to detect various security issues in python code. These tests are created as plugins and new ones can be created to extend the functionality offered by bandit today.

Bandit plugin groups are:

  • B1xx – misc tests (this group check include hard coded password verification. using hard coded passwords increases the possibility of password guessing. This plugin test looks for all function definitions that specify a default string literal for some argument. there are other plugins in this group for bad permission verification)
  • B2xx -application/framework misconfiguration for example running Flask applications in debug mode which results in the Werkzeug debugger being enabled. This includes a feature that allows arbitrary code execution.
  • B3xx – blacklists (calls)
  • B4xx – blacklists (imports)
  • B5xx – cryptography- The test will cover mostly the SSL certificate and encryption configuration.
  • B6xx – injection (this group of plugins include a family of tests built to check for process spawning and warn appropriately. Python possesses many mechanisms to invoke an external executable. However, doing so may present a security issue if appropriate care is not taken to sanitize any user provided or variable input)
  • B7xx – XSS

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments