Enhance your python code security using bandit

whchi

whchi

Posted on February 29, 2024

Enhance your python code security using bandit

In the constantly evolving realm of technology, ensuring the security of your code is also an important part of software development.

Here, I am using Bandit, a tool designed to find common security issues in Python code, to improve my project's security.

Severity vs Confidence

In the context of Information Security, severity and confidence are two important metrics. Both of them are leveled into Low, Medium and High.

Severity, it measures the seriousness of the consequences that may arise if the security issue is exploited or left unaddressed.

Confidence, it reflects how well the information is validated, verified, or understood.

Call to action

The result of a Bandit scan is a detailed report that outlines potential security issues in the code. This report includes the severity and confidence of each issue, as well as the part of the code where the issue was detected. The report can be
output in several formats, including CSV, HTML, JSON, text, XML, and YAML. This allows developers to easily parse and analyze the results and take appropriate action to improve the security of their code.

Bandit scanning result

The following are some simple judgment criteria after scan.

  • High Severity, High Confidence: Immediate action is typically taken due to a well-understood and verified security threat with potentially severe consequences.

  • High Severity, Low Confidence: Caution is exercised, and further investigation is needed to increase confidence in the assessment before taking decisive action.

  • Low Severity, High Confidence: Proactive measures may be taken even for low-severity issues if there is high confidence in the assessment.

  • Low Severity, Low Confidence: Ongoing monitoring and investigation are required to either confirm the low risk or gather additional information.

Setup

With pre-commit you can integrate bandit into your python project very easily

  1. pyproject.toml: skip folders you don't want to be scanned ```toml

[tool.bandit]
exclude_dirs = [
".venv",
".git",
"pycache",
]

2 .pre-commit-config.yml: add pre-commit hook
```yaml


repos:
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.7
    hooks:
      - id: bandit
        args: ["-c", "pyproject.toml", "-r", "."]
        additional_dependencies: ["bandit[toml]"]


Enter fullscreen mode Exit fullscreen mode

That is.

💖 💪 🙅 🚩
whchi
whchi

Posted on February 29, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related