Feedback

Chat Icon

DevSecOps in Practice

A Hands-On Guide to Operationalizing DevSecOps at Scale

Code Quality and Security Linting
58%

Bandit: A Security Linter from Python Code Quality Authority (PyCQA)

To avoid the pitfalls found in code, developers can use security linters like Bandit. Bandit, as described in its official documentation, is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files, it generates a report. To run a test with Bandit, start by installing it using pip:

# Activate the virtual environment
workon menu

# Install Bandit
pip install bandit==1.8.3

After installing Bandit, you can run it against your Python codebase:

bandit -r $HOME/RestQR/

The -r flag tells Bandit to scan the directory recursively. The output should provide a detailed report on any security issues detected in the codebase. For example, the following line:

app.run(host="0.0.0.0", port=5001, debug=True)

would trigger two Bandit issues due to the use of debug=True and host="0.0.0.0":

>> Issue: [B201:flask_debug_true] A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code.
   Severity: High   Confidence: Medium
   CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html)
   More Info: https://bandit.readthedocs.io/en/1.8.3/plugins/b201_flask_debug_true.html
   Location: /root/RestQR/qr/app.py:30:4
29  if __name__ == "__main__":
30      app.run(host="0.0.0.0", port=5001, debug=True)

--------------------------------------------------
>> Issue: [B104:hardcoded_bind_all_interfaces] Possible binding to all interfaces.
   Severity: Medium   Confidence: Medium
   CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html)
   More Info: https://bandit.readthedocs.io/en/1.8.3/plugins/b104_hardcoded_bind_all_interfaces.html
   Location: /root/RestQR/qr/app.py:30:17
29  if __name__ == "__main__":
30      app.run(host="0.0.0.0", port=5001, debug=True)

Bandit provides detailed information about the issue, its severity, confidence, and a link to the Common Weakness Enumeration (CWE) database. The output also includes the location of the issue within the codebase. Note that you can choose to output the results in different formats, such as JSON or XML, by using the -f flag (e.g., -f json -o bandit_results.json). This is the complete formatter list:

  • csv
  • html
  • json
  • screen
  • text
  • xml
  • yaml

To customize Bandit's behavior, you can create a configuration file (e.g., .bandit), which allows you to specify which plugins to run, set severity levels, and ignore specific issues. This is an example:

[tool.bandit]
# List of target folders to scan
targets = ["menu", "qr"]
# List of directories and files to exclude
exclude_dirs = ["tests", "venv"]
# List of tests to run
tests = ["B201", "B301"]
# List of tests to skip
skips =

DevSecOps in Practice

A Hands-On Guide to Operationalizing DevSecOps at Scale

Enroll now to unlock current content and receive all future updates for free. Your purchase supports the author and fuels the creation of more exciting content. Act fast, as the price will rise as the course nears completion!

Unlock now ($29.99) Learn More
Previous Next