bandit/doc/source/man/bandit.rst

bandit

SYNOPSIS

bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]

[-p PROFILE] [-t TESTS] [-s SKIPS] [-l] [-i] [-f {csv,custom,html,json,screen,txt,xml,yaml}] [--msg-template MSG_TEMPLATE] [-o OUTPUT_FILE] [-v] [-d] [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE] [--ini INI_PATH] [--version] targets [targets ...]

DESCRIPTION

bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

OPTIONS

-h, --help show this help message and exit -r, --recursive find and process files in subdirectories -a {file,vuln}, --aggregate {file,vuln} aggregate output by vulnerability (default) or by filename -n CONTEXT_LINES, --number CONTEXT_LINES maximum number of code lines to output for each issue -c CONFIG_FILE, --configfile CONFIG_FILE optional config file to use for selecting plugins and overriding defaults -p PROFILE, --profile PROFILE profile to use (defaults to executing all tests) -t TESTS, --tests TESTS comma-separated list of test IDs to run -s SKIPS, --skip SKIPS comma-separated list of test IDs to skip -l, --level report only issues of a given severity level or higher (-l for LOW, -ll for MEDIUM, -lll for HIGH) -i, --confidence report only issues of a given confidence level or higher (-i for LOW, -ii for MEDIUM, -iii for HIGH) -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml} specify output format --msg-template MSG_TEMPLATE specify output message template (only usable with --format custom), see CUSTOM FORMAT section for list of available values -o OUTPUT_FILE, --output OUTPUT_FILE write report to filename -v, --verbose output extra information like excluded and included files -d, --debug turn on debug mode --ignore-nosec do not skip lines with # nosec comments -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS comma-separated list of paths to exclude from scan (note that these are in addition to the excluded paths provided in the config file) -b BASELINE, --baseline BASELINE path of a baseline report to compare against (only JSON-formatted files are accepted) --ini INI_PATH path to a .bandit file that supplies command line arguments --version show program's version number and exit

CUSTOM FORMATTING

Available tags:

{abspath}, {relpath}, {line}, {test_id}, {severity}, {msg}, {confidence}, {range}

Example usage:

Default template: bandit -r examples/ --format custom --msg-template "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

Provides same output as: bandit -r examples/ --format custom

Tags can also be formatted in python string.format() style: bandit -r examples/ --format custom --msg-template "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

See python documentation for more information about formatting style: https://docs.python.org/3.4/library/string.html

FILES

.bandit

file that supplies command line arguments

/etc/bandit/bandit.yaml

legacy bandit configuration file

EXAMPLES

Example usage across a code tree:

bandit -r ~/openstack-repo/keystone

Example usage across the examples/ directory, showing three lines of context and only reporting on the high-severity issues:

bandit examples/*.py -n 3 -lll

Bandit can be run with profiles. To run Bandit against the examples directory using only the plugins listed in the ShellInjection profile:

bandit examples/*.py -p ShellInjection

Bandit also supports passing lines of code to scan using standard input. To run Bandit with standard input:

cat examples/imports.py | bandit -

SEE ALSO

pylint(1)