Overview

Bandit is an advanced security linter specifically designed to detect common vulnerabilities in Python code. It works by processing each file, constructing an Abstract Syntax Tree (AST), and executing relevant plugins against the AST nodes. After scanning all the files, Bandit generates a comprehensive report detailing any potential security issues.

Originally developed as part of the OpenStack Security Project, Bandit has since been transferred to the PyCQA organization, ensuring its maintenance and growth within the broader Python community.

Features

• Security-focused: Detects security vulnerabilities and enforces best practices in Python code.
• Extensible: Users can create custom plugins and methods to expand Bandit's capabilities.
• Container Compatibility: Easily deployable as a Docker container. Use the following command to pull the latest image:

  docker pull ghcr.io/pycqa/bandit/bandit
  

  The image supports various architectures including amd64, arm64, armv7, and armv8. To specify a particular architecture, use:

  docker pull --platform=<architecture> ghcr.io/pycqa/bandit/bandit:latest
  

• Verified Images: All images are signed with sigstore cosign, allowing users to verify the origin with the following command:

  cosign verify ghcr.io/pycqa/bandit/bandit:latest \
    --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/<version> \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com
  

Documentation and Resources

• Official Documentation: Comprehensive guide to Bandit's usage and features.
• Python AST Module Documentation: Detailed explanation of the Python AST framework.
• Green Tree Snakes: Reference for Python AST documentation and node types that Bandit supports or can extend to.

For any issues or contributions, please visit the GitHub repository. Bug reports can be submitted here, and contributions are welcome to improve the tool further.