Abstract
This article explores the implementation of Static Application Security Testing (SAST) using Bandit for Python applications. We demonstrate how to identify common security flaws like hardcoded passwords and insecure function usage, integrating the tool into a CI/CD pipeline using GitHub Actions.
Why Bandit?
Since I needed a lightweight and fast tool for Python without the complexity of enterprise platforms, Bandit was the perfect choice. Itβs an open-source tool designed to find common security issues in Python code by analyzing the AST (Abstract Syntax Tree).
The Vulnerable Code
I created a sample script app.py with intentional flaws:
- Hardcoded secrets: Storing passwords in plain text.
- Insecure Deserialization: Using functions that could lead to Remote Code Execution (RCE).
Local Execution
To run it locally, I used:
pip install bandit
bandit app.py
The image below demonstrates the local execution of Bandit. As shown, the tool scanned 6 lines of code and identified 3 security issues: two of Low severity (importing the pickle module and a hardcoded password string) and one of Medium severity (using pickle.loads for deserialization). This immediate feedback allows developers to fix vulnerabilities during the development phase, long before the code is merged.
"Figure 1: Local Bandit Scan Results"
Automation with GitHub Actions
To comply with modern DevSecOps practices, I automated the scan. Every time I push code, GitHub Actions runs Bandit.
YAML
My workflow configuration
"Figure 2: Yml configuration"
This image displays the output of the automated security pipeline. By integrating Bandit into GitHub Actions, the scan runs automatically on every 'push'. As observed in the logs, the process completed with an exit code 1, effectively breaking the build. This is a crucial security gate: it prevents code with known vulnerabilities (like the insecure yaml.load call shown in line 13) from moving forward in the development lifecycle. The report highlights a Medium severity issue with High confidence, providing the exact CWE reference for remediation.
"Figure 3: Automated SAST Scan via GitHub Actions"
Conclusion
Using SAST tools like Bandit is a fundamental step in the SDLC to catch "low-hanging fruit" vulnerabilities before they reach production.
Top comments (0)