--- name: sast-bandit description: > Python security vulnerability detection using Bandit SAST with CWE and OWASP mapping. Use when: (1) Scanning Python code for security vulnerabilities and anti-patterns, (2) Identifying hardcoded secrets, SQL injection, command injection, and insecure APIs, (3) Generating security reports with severity classifications for CI/CD pipelines, (4) Providing remediation guidance with security framework references, (5) Enforcing Python security best practices in development workflows. version: 0.1.0 maintainer: SirAppSec category: appsec tags: [sast, bandit, python, vulnerability-scanning, owasp, cwe, security-linting] frameworks: [OWASP, CWE] dependencies: python: ">=3.8" packages: [bandit] references: - https://github.com/PyCQA/bandit - https://bandit.readthedocs.io/ - https://owasp.org/www-project-top-ten/ --- # Bandit Python SAST ## Overview Bandit is a security-focused static analysis tool for Python that identifies common security vulnerabilities and coding anti-patterns. It parses Python code into Abstract Syntax Trees (AST) and executes security plugins to detect issues like hardcoded credentials, SQL injection, command injection, weak cryptography, and insecure API usage. Bandit provides actionable reports with severity classifications aligned to industry security standards. ## Quick Start Scan a Python file or directory for security vulnerabilities: ```bash # Install Bandit pip install bandit # Scan single file bandit suspicious_file.py # Scan entire directory recursively bandit -r /path/to/python/project # Generate JSON report bandit -r project/ -f json -o bandit_report.json # Scan with custom config bandit -r project/ -c .bandit.yaml ``` ## Core Workflow ### Step 1: Install and Configure Bandit Install Bandit via pip: ```bash pip install bandit ``` Create a configuration file `.bandit` or `.bandit.yaml` to customize scans: ```yaml # .bandit.yaml exclude_dirs: - /tests/ - /venv/ - /.venv/ - /node_modules/ skips: - B101 # Skip assert_used checks in test files tests: - B201 # Flask app run with debug=True - B301 # Pickle usage - B601 # Shell injection - B602 # Shell=True in subprocess ``` ### Step 2: Execute Security Scan Run Bandit against Python codebase: ```bash # Basic scan with severity threshold bandit -r . -ll # Report only medium/high severity # Comprehensive scan with detailed output bandit -r . -f json -o report.json -v # Scan with confidence filtering bandit -r . -i # Show only high confidence findings # Exclude specific tests bandit -r . -s B101,B601 ``` ### Step 3: Analyze Results Bandit reports findings with: - **Issue Type**: Vulnerability category (e.g., hardcoded_password, sql_injection) - **Severity**: LOW, MEDIUM, HIGH - **Confidence**: LOW, MEDIUM, HIGH - **CWE**: Common Weakness Enumeration reference - **Location**: File path and line number Example output: ``` >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'admin123' Severity: Medium Confidence: Medium CWE: CWE-259 (Use of Hard-coded Password) Location: app/config.py:12 ``` ### Step 4: Prioritize Findings Focus remediation efforts using this priority matrix: 1. **Critical**: HIGH severity + HIGH confidence 2. **High**: HIGH severity OR MEDIUM severity + HIGH confidence 3. **Medium**: MEDIUM severity + MEDIUM confidence 4. **Low**: LOW severity OR LOW confidence ### Step 5: Remediate Vulnerabilities For each finding, consult the bundled `references/remediation_guide.md` for secure coding patterns. Common remediation strategies: - **Hardcoded Secrets (B105, B106)**: Use environment variables or secret management services - **SQL Injection (B608)**: Use parameterized queries with SQLAlchemy or psycopg2 - **Command Injection (B602, B605)**: Avoid `shell=True`, use `shlex.split()` for argument parsing - **Weak Cryptography (B303, B304)**: Replace MD5/SHA1 with SHA256/SHA512 or bcrypt for passwords - **Insecure Deserialization (B301)**: Avoid pickle, use JSON or MessagePack with schema validation ### Step 6: Integrate into CI/CD Add Bandit to CI/CD pipelines to enforce security gates: ```yaml # .github/workflows/security-scan.yml name: Security Scan on: [push, pull_request] jobs: bandit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: python-version: '3.11' - name: Install Bandit run: pip install bandit - name: Run Bandit run: bandit -r . -f json -o bandit-report.json - name: Check for high severity issues run: bandit -r . -ll -f txt || exit 1 ``` Use the bundled script `scripts/bandit_analyzer.py` for enhanced reporting with OWASP mapping. ## Security Considerations - **Sensitive Data Handling**: Bandit reports may contain code snippets with hardcoded credentials. Ensure reports are stored securely and access is restricted. Use `--no-code` flag to exclude code snippets from reports. - **Access Control**: Run Bandit in sandboxed CI/CD environments with read-only access to source code. Restrict write permissions to prevent tampering with security configurations. - **Audit Logging**: Log all Bandit executions with timestamps, scan scope, findings count, and operator identity for security auditing and compliance purposes. - **Compliance**: Bandit supports SOC2, PCI-DSS, and GDPR compliance by identifying security weaknesses. Document scan frequency, remediation timelines, and exception approvals for audit trails. - **False Positives**: Review LOW confidence findings manually. Use inline `# nosec` comments sparingly and document justifications in code review processes. ## Bundled Resources ### Scripts (`scripts/`) - `bandit_analyzer.py` - Enhanced Bandit wrapper that parses JSON output, maps findings to OWASP Top 10, generates HTML reports, and integrates with ticketing systems. Use for comprehensive security reporting. ### References (`references/`) - `remediation_guide.md` - Detailed secure coding patterns for common Bandit findings, including code examples for SQLAlchemy parameterization, secure subprocess usage, and cryptographic best practices. Consult when remediating specific vulnerability types. - `cwe_owasp_mapping.md` - Complete mapping between Bandit issue codes, CWE identifiers, and OWASP Top 10 categories. Use for security framework alignment and compliance reporting. ### Assets (`assets/`) - `bandit_config.yaml` - Production-ready Bandit configuration with optimized test selection, exclusion patterns for common false positives, and severity thresholds. Use as baseline configuration for projects. - `pre-commit-config.yaml` - Pre-commit hook configuration for Bandit integration. Prevents commits with HIGH severity findings. ## Common Patterns ### Pattern 1: Baseline Security Scan Establish security baseline for legacy codebases: ```bash # Generate baseline report bandit -r . -f json -o baseline.json # Compare future scans against baseline bandit -r . -f json -o current.json diff <(jq -S . baseline.json) <(jq -S . current.json) ``` ### Pattern 2: Security Gating in Pull Requests Block merges with HIGH severity findings: ```bash # Exit with error if HIGH severity issues found bandit -r . -lll -f txt if [ $? -ne 0 ]; then echo "HIGH severity security issues detected - blocking merge" exit 1 fi ``` ### Pattern 3: Progressive Security Hardening Incrementally increase security standards: ```bash # Phase 1: Block only CRITICAL (HIGH severity + HIGH confidence) bandit -r . -ll -i # Phase 2: Block HIGH severity bandit -r . -ll # Phase 3: Block MEDIUM and above bandit -r . -l ``` ### Pattern 4: Suppressing False Positives Document exceptions inline with justification: ```python # Example: Suppressing pickle warning for internal serialization import pickle # nosec B301 - Internal cache, not user input def load_cache(file_path): with open(file_path, 'rb') as f: return pickle.load(f) # nosec B301 ``` ## Integration Points - **CI/CD**: Integrate as GitHub Actions, GitLab CI, Jenkins pipeline stage, or pre-commit hook. Use `scripts/bandit_analyzer.py` for enhanced reporting. - **Security Tools**: Combine with Semgrep for additional SAST coverage, Safety for dependency scanning, and SonarQube for code quality metrics. - **SDLC**: Execute during development (pre-commit), code review (PR checks), and release gates (pipeline stage). Establish baseline scans for legacy code and enforce strict checks for new code. - **Ticketing Integration**: Use `scripts/bandit_analyzer.py` to automatically create Jira/GitHub issues for HIGH severity findings with remediation guidance. ## Troubleshooting ### Issue: Too Many False Positives **Solution**: 1. Use confidence filtering: `bandit -r . -i` (HIGH confidence only) 2. Exclude test files: `bandit -r . --exclude /tests/` 3. Customize `.bandit.yaml` to skip specific tests for known safe patterns 4. Review and suppress with inline `# nosec` comments with justification ### Issue: Scan Performance on Large Codebases **Solution**: 1. Exclude dependencies: Add `/venv/`, `/.venv/`, `/site-packages/` to `.bandit.yaml` exclude_dirs 2. Use multiprocessing: Bandit automatically parallelizes for directories 3. Scan only changed files in CI/CD: `git diff --name-only origin/main | grep '.py$' | xargs bandit` ### Issue: Missing Specific Vulnerability Types **Solution**: 1. Check enabled tests: `bandit -l` (list all tests) 2. Ensure tests are not skipped in `.bandit.yaml` 3. Combine with Semgrep for additional coverage (e.g., business logic vulnerabilities) 4. Update Bandit regularly: `pip install --upgrade bandit` ### Issue: Integration with Pre-commit Hooks **Solution**: Use the bundled `assets/pre-commit-config.yaml`: ```yaml - repo: https://github.com/PyCQA/bandit rev: '1.7.5' hooks: - id: bandit args: ['-ll', '--recursive', '--configfile', '.bandit.yaml'] ``` Install hooks: `pre-commit install` ## References - [Bandit Documentation](https://bandit.readthedocs.io/) - [Bandit GitHub Repository](https://github.com/PyCQA/bandit) - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [CWE Database](https://cwe.mitre.org/) - [Python Security Best Practices](https://python.readthedocs.io/en/stable/library/security_warnings.html)