Bandit is an open-source tool that scans Python source code for security issues that show up in everyday development. Many security teams and developers use it as a quick way to spot risky coding patterns early in the lifecycle, especially in projects that already rely on automated linting and testing.
The tool works by examining Python code structure and matching it against a set of security-focused rules. Each finding points to a specific line of code and includes details that help developers understand the issue and decide on next steps.
What Bandit looks for in code
Bandit focuses on issues that can be detected directly in Python source files. Examples include unsafe use of functions like eval, weak cryptographic practices, hard-coded passwords, and insecure handling of temporary files. The rules target patterns that security teams often see during code reviews and incident investigations.
Each rule produces a finding with two key attributes: severity and confidence. Severity reflects the potential impact of the issue. Confidence reflects how certain the tool is that the pattern represents a real problem. These attributes help teams prioritize what they review first.
Using Bandit in day-to-day development
Most teams run Bandit from the command line against a code repository. A recursive scan of a project directory is a common starting point. Bandit can also read code from standard input, which supports scripting and automation use cases.
Configuration usually lives alongside the code. Teams define which paths to scan, which tests to run, and which ones to skip. Many Python projects place these settings in a dedicated config file or in pyproject.toml to keep security checks aligned with other tooling.
Developers can suppress specific findings on individual lines using inline comments. This approach allows teams to document accepted risks directly in the codebase. Security teams often review these suppressions during audits or code reviews.
Managing findings over time
Bandit supports baseline reports that record existing findings at a point in time. Teams use baselines when introducing the tool into large or long-lived repositories. New findings show up clearly, which helps keep focus on recent changes without losing visibility into older issues.
Filtering by severity and confidence also plays a role in long-term use. Many teams set thresholds that determine which findings fail a build and which ones generate warnings for later review.
Project status and download
Bandit is maintained by the PyCQA community and has a long history in the Python security ecosystem. Recent releases focus on compatibility updates and rule maintenance, which reflects its role as a stable utility.
Bandit is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!