Static Application Security Testing (SAST) tools help you detect vulnerabilities directly in your source code before the application is executed or deployed. In this article, you will see how to use Bandit, a Python‑focused SAST tool, to scan a Python application and improve its security posture.
What Is SAST and Why It Matters
SAST refers to techniques and tools that analyze source code, bytecode or binaries to find security weaknesses without running the application. These tools search for patterns related to insecure practices such as injection, unsafe system calls, weak cryptography, or hardcoded secrets.
Running SAST early in the development lifecycle allows teams to detect and fix issues before they reach production, which reduces both risk and remediation cost. Integrating SAST into everyday workflows (IDE checks, pre‑commit hooks or CI/CD pipelines) transforms security from a late, manual step into a continuous, automated practice.
Meet Bandit: A Python Security Linter
Bandit is an open source security linter designed to find common security issues in Python code. It parses Python files, builds an abstract syntax tree (AST), and runs a set of security tests to detect problems such as hardcoded passwords, use of unsafe functions like exec, insecure random generators, weak hashes, or risky XML and subprocess usage.
Because Bandit understands Python syntax and idioms, it can provide more precise findings than generic text‑based scanners for this language. It is distributed through PyPI, actively maintained by the PyCQA community, and can be easily integrated into local development workflows and CI/CD pipelines.
Setting Up Bandit in Your Project
To use Bandit, you only need a working Python environment and pip. Many developers prefer to create a virtual environment so that security tools and project dependencies do not conflict.
Example setup steps (run in your terminal):
Create and activate a virtual environment (optional).
Install Bandit with pip: pip install bandit.
Optionally, install extra features like TOML support, baseline management or SARIF output using extras such as bandit[toml], bandit[baseline] or bandit[sarif].
After installation, the bandit command becomes available in your shell so you can run it from any project directory.
Scanning a Python Application with Bandit
Once Bandit is installed, you can scan either a single file or an entire project directory. The most common workflow is to navigate to the root of your Python project and run Bandit recursively.
Typical examples:
Scan a single file: bandit app.py
Scan a whole project recursively: bandit -r .
When the scan finishes, Bandit prints a report showing each issue it found, along with fields like severity, confidence, file path, line number and a short description. You can also change the output format to JSON, XML, HTML, YAML and others, which is useful for storing results or integrating with dashboards.
Understanding Bandit’s Output
Bandit assigns two key attributes to each finding: severity and confidence. Severity indicates how serious the potential vulnerability is (for example low, medium or high), while confidence reflects how certain Bandit is that the pattern represents a real security problem.
High‑severity, high‑confidence issues typically indicate dangerous patterns such as use of weak cryptographic functions, insecure temporary files, unsafe XML parsers or shell commands with untrusted input. Developers should review these findings in context, confirm whether they are valid issues, and then apply fixes such as input validation, parameterization, replacing weak algorithms or refactoring dangerous code.
Applying Bandit to a Sample Scenario
Imagine a small Python web application that performs file operations, calls external commands and processes user input. Bandit can help identify if:
Temporary files are created using insecure methods.
User input is passed directly into shell commands or SQL queries.
Insecure modules like telnetlib or weak hash functions like md5 are in use.
Running bandit -r . from the project root will reveal these patterns with line numbers and explanations, making it easier to refactor the application before deployment.
Integrating Bandit into CI/CD
The real power of a SAST tool appears when it becomes part of your automated pipelines. With Bandit, you can add a CI job that installs dependencies, runs bandit -r ., and fails the pipeline if new high‑severity issues are introduced.
For example, in a GitHub Actions or GitLab CI pipeline, you can:
Use a Python base image, install Bandit and run it as part of your test stage.
Configure Bandit to output JSON or SARIF and upload that report as a pipeline artifact or feed it into security dashboards.
Optionally, use a baseline file to compare current results against previous scans, so only new findings break the build.
This approach ensures every pull request is checked for security issues, not only for functionality or style.
Best Practices When Using Bandit
To get the most value from Bandit, consider these practices:
Run Bandit locally as part of a pre‑commit hook so that insecure patterns are caught before code is pushed.
Adjust severity and confidence thresholds to match your project’s risk tolerance, focusing on high‑impact issues first.
Regularly review and update the configuration (for example .bandit.yml) to skip false positives or define project‑specific rules.
Combine Bandit with other security practices such as dependency scanning, dynamic testing and manual code review.
Bandit is not a silver bullet, but it is a lightweight and effective way to bring security awareness into everyday Python development.
Limitations and Complementary Tools
Bandit focuses on static analysis of Python source code, so it does not replace dynamic application security testing or runtime protection. It may also miss complex logic issues that require deeper understanding of business rules, which is why human review remains essential.
For a more complete security strategy, combine Bandit with tools that check open‑source dependencies, perform dynamic scans against running environments and monitor production systems. Even with these limitations, integrating Bandit as your SAST tool for Python significantly raises your application’s security baseline with relatively low effort
Top comments (0)