Carview!

A security linter from PyCQA

Free software: Apache license
Documentation: https://bandit.readthedocs.io/en/latest/
Source: https://github.com/PyCQA/bandit
Bugs: https://github.com/PyCQA/bandit/issues
Contributing: https://github.com/PyCQA/bandit/blob/main/CONTRIBUTING.md

Overview

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Show Your Style

Use our badge in your project's README!

using Markdown:

[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)

using RST:

.. image:: https://img.shields.io/badge/security-bandit-yellow.svg
    :target: https://github.com/PyCQA/bandit
    :alt: Security Status

References

Python AST module documentation: https://docs.python.org/3/library/ast.html

Green Tree Snakes - the missing Python AST docs: https://greentreesnakes.readthedocs.org/en/latest/

Documentation of the various types of AST nodes that Bandit currently covers or could be extended to cover: https://greentreesnakes.readthedocs.org/en/latest/nodes.html

Container Images

Bandit is available as a container image, built within the bandit repository using GitHub Actions. The image is available on ghcr.io:

docker pull ghcr.io/pycqa/bandit/bandit

The image is built for the following architectures:

amd64
arm64
armv7
armv8

To pull a specific architecture, use the following format:

docker pull --platform=<architecture> ghcr.io/pycqa/bandit/bandit:latest

Every image is signed with sigstore cosign and it is possible to verify the source of origin using the following cosign command:

cosign verify ghcr.io/pycqa/bandit/bandit:latest \
  --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/<version> \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Where <version> is the release version of Bandit.

Name		Name	Last commit message	Last commit date
Latest commit History 1,461 Commits
.github		.github
bandit		bandit
doc		doc
docker		docker
examples		examples
logo		logo
scripts		scripts
tests		tests
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.pre-commit-hooks.yaml		.pre-commit-hooks.yaml
.readthedocs.yaml		.readthedocs.yaml
.stestr.conf		.stestr.conf
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.rst		README.rst
SECURITY.md		SECURITY.md
bandit-terminal.png		bandit-terminal.png
funding.json		funding.json
pylintrc		pylintrc
requirements.txt		requirements.txt
setup.cfg		setup.cfg
setup.py		setup.py
test-requirements.txt		test-requirements.txt
tox.ini		tox.ini

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Repository files navigation

Overview

Show Your Style

References

Container Images

Sponsors

About

Uh oh!

Releases 24

Sponsor this project

Uh oh!

Packages

Uh oh!

Used by 56k

Contributors 148

Languages

Uh oh!

License

PyCQA/bandit

Folders and files

Latest commit

History

Repository files navigation

Overview

Show Your Style

References

Container Images

Sponsors

About

Topics

Resources

License

Code of conduct

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 24

Sponsor this project

Uh oh!

Packages 0

Uh oh!

Used by 56k

Contributors 148

Languages

Packages