In the constantly evolving realm of technology, ensuring the security of your code is also an important part of software development.
Here, I am using Bandit, a tool designed to find common security issues in Python code, to improve my project's security.
Severity vs Confidence
In the context of Information Security, severity and confidence are two important metrics. Both of them are leveled into Low, Medium and High.
Severity, it measures the seriousness of the consequences that may arise if the security issue is exploited or left unaddressed.
Confidence, it reflects how well the information is validated, verified, or understood.
Call to action
The result of a Bandit scan is a detailed report that outlines potential security issues in the code. This report includes the severity and confidence of each issue, as well as the part of the code where the issue was detected. The report can be
output in several formats, including CSV, HTML, JSON, text, XML, and YAML. This allows developers to easily parse and analyze the results and take appropriate action to improve the security of their code.
The following are some simple judgment criteria after scan.
High Severity, High Confidence: Immediate action is typically taken due to a well-understood and verified security threat with potentially severe consequences.
High Severity, Low Confidence: Caution is exercised, and further investigation is needed to increase confidence in the assessment before taking decisive action.
Low Severity, High Confidence: Proactive measures may be taken even for low-severity issues if there is high confidence in the assessment.
Low Severity, Low Confidence: Ongoing monitoring and investigation are required to either confirm the low risk or gather additional information.
Setup
With pre-commit
you can integrate bandit into your python project very easily
- pyproject.toml: skip folders you don't want to be scanned ```toml
[tool.bandit]
exclude_dirs = [
".venv",
".git",
"pycache",
]
2 .pre-commit-config.yml: add pre-commit hook
```yaml
repos:
- repo: https://github.com/PyCQA/bandit
rev: 1.7.7
hooks:
- id: bandit
args: ["-c", "pyproject.toml", "-r", "."]
additional_dependencies: ["bandit[toml]"]
That is.
Top comments (0)