DEV Community

whchi
whchi

Posted on

Enhance your python code security using bandit

#webdev #python #security #tutorial

In the constantly evolving realm of technology, ensuring the security of your code is also an important part of software development.

Here, I am using Bandit, a tool designed to find common security issues in Python code, to improve my project's security.

Severity vs Confidence

In the context of Information Security, severity and confidence are two important metrics. Both of them are leveled into Low, Medium and High.

Severity, it measures the seriousness of the consequences that may arise if the security issue is exploited or left unaddressed.

Confidence, it reflects how well the information is validated, verified, or understood.

Call to action

The result of a Bandit scan is a detailed report that outlines potential security issues in the code. This report includes the severity and confidence of each issue, as well as the part of the code where the issue was detected. The report can be
output in several formats, including CSV, HTML, JSON, text, XML, and YAML. This allows developers to easily parse and analyze the results and take appropriate action to improve the security of their code.

Bandit scanning result

The following are some simple judgment criteria after scan.

  • High Severity, High Confidence: Immediate action is typically taken due to a well-understood and verified security threat with potentially severe consequences.

  • High Severity, Low Confidence: Caution is exercised, and further investigation is needed to increase confidence in the assessment before taking decisive action.

  • Low Severity, High Confidence: Proactive measures may be taken even for low-severity issues if there is high confidence in the assessment.

  • Low Severity, Low Confidence: Ongoing monitoring and investigation are required to either confirm the low risk or gather additional information.

Setup

With pre-commit you can integrate bandit into your python project very easily

  1. pyproject.toml: skip folders you don't want to be scanned 
[tool.bandit]
exclude_dirs = [
    ".venv",
    ".git",
    "__pycache__",
]
Enter fullscreen mode Exit fullscreen mode

2 .pre-commit-config.yml: add pre-commit hook

repos:
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.7
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml", "-r", "."]
        additional_dependencies: ["bandit[toml]"]
Enter fullscreen mode Exit fullscreen mode

That is.

Top comments (0)

Read next

chelsealiu0822 profile image

PySpark: missing value

ChelseaLiu0822 -

ahmadrahimizadeh profile image

eBPF: Unleashing Kernel Magic for Modern Infrastructure

Ahmad -

sk_rajibul_9ce58a68c43bb5 profile image

Leveraging Python's Built-In Decorator for Improved Performance

SK RAJIBUL -

waelhabbal profile image

Mastering CSS unicode-bidi Property

waelhabbal -