Secure Your Python App Using Bandit as a SAST Tool

Source: Dev.to

Static Application Security Testing (SAST) tools help you detect vulnerabilities directly in your source code before the application is executed or deployed. In this article, you will see how to use Bandit, a Python‑focused SAST tool, to scan a Python application and improve its security posture.

What Is SAST and Why It Matters

SAST refers to techniques and tools that analyze source code, bytecode, or binaries to find security weaknesses without running the application. These tools search for patterns related to insecure practices such as injection, unsafe system calls, weak cryptography, or hard‑coded secrets.

Running SAST early in the development lifecycle allows teams to detect and fix issues before they reach production, reducing both risk and remediation cost. Integrating SAST into everyday workflows (IDE checks, pre‑commit hooks, or CI/CD pipelines) transforms security from a late, manual step into a continuous, automated practice.

Meet Bandit: A Python Security Linter

Bandit is an open‑source security linter designed to find common security issues in Python code. It parses Python files, builds an abstract syntax tree (AST), and runs a set of security tests to detect problems such as:

• Hard‑coded passwords
• Use of unsafe functions like exec
• Insecure random generators
• Weak hashes
• Risky XML and subprocess usage

Because Bandit understands Python syntax and idioms, it can provide more precise findings than generic text‑based scanners. It is distributed through PyPI, actively maintained by the PyCQA community, and can be easily integrated into local development workflows and CI/CD pipelines.

Setting Up Bandit in Your Project

1. Create a virtual environment (optional)

   python -m venv .venv
   source .venv/bin/activate   # On Windows: .venv\Scripts\activate

2. Install Bandit

   pip install bandit

3. Install optional extras (e.g., TOML support, baseline management, SARIF output)

   pip install "bandit[toml]" "bandit[baseline]" "bandit[sarif]"

After installation, the bandit command becomes available in your shell.

Scanning a Python Application with Bandit

• Scan a single file

  bandit app.py

• Scan a whole project recursively

  bandit -r .

Bandit prints a report showing each issue it found, including severity, confidence, file path, line number, and a short description. Output formats such as JSON, XML, HTML, and YAML can be selected with the -f flag for integration with dashboards or storage.

Understanding Bandit’s Output

Bandit assigns two key attributes to each finding:

• Severity – how serious the potential vulnerability is (low, medium, high).
• Confidence – how certain Bandit is that the pattern represents a real security problem.

High‑severity, high‑confidence issues typically indicate dangerous patterns such as weak cryptographic functions, insecure temporary files, unsafe XML parsers, or shell commands with untrusted input. Developers should review these findings in context, confirm their validity, and apply fixes such as input validation, parameterization, replacing weak algorithms, or refactoring dangerous code.

Applying Bandit to a Sample Scenario

Imagine a small Python web application that:

• Performs file operations
• Calls external commands
• Processes user input

Bandit can help identify if:

• Temporary files are created using insecure methods.
• User input is passed directly into shell commands or SQL queries.
• Insecure modules like telnetlib or weak hash functions like md5 are in use.

Running bandit -r . from the project root will reveal these patterns with line numbers and explanations, making it easier to refactor the application before deployment.

Integrating Bandit into CI/CD

The real power of a SAST tool appears when it becomes part of automated pipelines. With Bandit, you can add a CI job that:

1. Installs dependencies.
2. Runs bandit -r ..
3. Fails the pipeline if new high‑severity issues are introduced.

Example (GitHub Actions)

name: Security Scan
on: [push, pull_request]

jobs:
  bandit-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'
      - name: Install Bandit
        run: pip install bandit
      - name: Run Bandit
        run: bandit -r . -f json -o bandit-report.json
      - name: Upload report
        uses: actions/upload-artifact@v3
        with:
          name: bandit-report
          path: bandit-report.json

You can also configure Bandit to output SARIF and feed it into security dashboards, or use a baseline file to compare current results against previous scans so that only new findings break the build.

Best Practices When Using Bandit

• Run Bandit locally as part of a pre‑commit hook to catch insecure patterns before code is pushed.
• Adjust severity and confidence thresholds to match your project’s risk tolerance, focusing on high‑impact issues first.
• Regularly review and update the configuration file (e.g., .bandit.yml) to skip false positives or define project‑specific rules.
• Combine Bandit with other security practices such as dependency scanning, dynamic testing, and manual code review.

Bandit is not a silver bullet, but it is a lightweight and effective way to bring security awareness into everyday Python development.

Limitations and Complementary Tools

Bandit focuses on static analysis of Python source code, so it does not replace dynamic application security testing or runtime protection. It may miss complex logic issues that require deeper understanding of business rules, which is why human review remains essential.

For a more complete security strategy, combine Bandit with tools that:

• Check open‑source dependencies (e.g., pip-audit, safety).
• Perform dynamic scans against running environments.
• Monitor production systems for runtime threats.

Even with these limitations, integrating Bandit as your SAST tool for Python significantly raises your application’s security baseline with relatively low effort.