loading
loading
Static Code Analysis
Find common security issues in Python code.
overview
bandit reads each Python file, builds an abstract syntax tree from it, and runs a set of security plugins against the tree nodes. That AST-level view lets it catch real risk patterns, the hardcoded passwords, shell injection, weak crypto calls, and unsafe deserialization that a text grep would miss or over-report.
Once it finishes a target, it assembles a report you can shape to a pipeline. Severity and confidence thresholds keep a run focused on issues that matter, a baseline file suppresses known findings so only new ones surface, and output formats from JSON to XML to HTML route results wherever triage lives.
On Trickest, bandit is a Static Code Analysis node that takes Python source as a file or folder and writes a file and a folder of findings. Run it on a repository and merge its output with dynamic scanner results for one view of code and runtime risk.
source github.com/PyCQA/bandit
use cases
Point bandit at a source folder with --recursive and let its plugins surface injection, weak crypto, and hardcoded secrets across the whole codebase.
Compare against a baseline JSON report with --baseline so previously accepted issues stay quiet and the run flags only fresh problems.
Raise the severity floor with -ll or -lll and drop noisy plugins with --skip so a run returns the high-signal findings worth acting on.
Emit JSON or XML with -f and route bandit findings into the same table and reporting flow as dynamic scanner output for one risk view.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| targets-folder | FOLDER | targets | Source folder to scan. |
| targets-file | FILE | targets | Source file(s) to scan. |
| recursive-target | FOLDER | --recursive | Find and process files in subdirectories. |
| output-format | STRING | -f | Output format: csv, custom, html, json, screen, txt, xml, or yaml. |
| level-medium | STRING | -ll | Report only issues at MEDIUM severity or higher (-l low, -lll high). |
| baseline | FILE | --baseline | Path of a baseline JSON report to compare against. |
| skip-id | STRING | --skip | Comma-separated list of test IDs to skip. |
| exit-zero | BOOLEAN | --exit-zero | Exit with 0 even when results are found. |
Showing key inputs. bandit exposes 23 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| debug | BOOLEAN | -d | Turn on debug mode. |
| quiet | BOOLEAN | -q | Only show output in the case of an error. |
| profile | STRING | --profile | Profile to use (defaults to executing all tests). |
| skip-id | STRING | --skip | Comma-separated list of test IDs to skip. |
| test-id | STRING | --tests | Comma-separated list of test IDs to run. |
| verbose | BOOLEAN | --verbose | Output extra information like excluded and included files. |
| baseline | FILE | --baseline | Path of a baseline report to compare against (only JSON-formatted files are accepted). |
| ini-file | FILE | --ini | Path to a .bandit file that supplies command line arguments. |
| aggregate | STRING | --aggregate | Aggregate output by vulnerability (default) or by filename. |
| exit-zero | BOOLEAN | --exit-zero | Exit with 0, even when results are found. |
| level-low | STRING | -l | Report only issues at LOW severity or higher. |
| confidence | BOOLEAN | --confidence | Report only issues at a given confidence level or higher. |
| level-high | STRING | -lll | Report only issues at HIGH severity or higher. |
| config-file | FILE | --configfile | Optional config file to use for selecting plugins and overriding defaults. |
| ignore-nosec | BOOLEAN | --ignore-nosec | Do not skip lines with # nosec comments. |
| level-medium | STRING | -ll | Report only issues at MEDIUM severity or higher. |
| msg-template | STRING | --msg-template | Specify output message template (only usable when output-format is set to custom). |
| number-lines | STRING | --number | Maximum number of code lines to output for each issue. |
| targets-file | FILE | targets | Source file(s) to scan. |
| exclude-paths | STRING | --exclude | Comma-separated list of paths (glob patterns supported) to exclude from the scan, in addition to the config file excludes (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg). |
| output-format | STRING | -f | Output format: csv, custom, html, json, screen, txt, xml, or yaml. |
| targets-folder | FOLDER | targets | Source folder to scan. |
| recursive-target | FOLDER | --recursive | Find and process files in subdirectories. |
example
# recursively scan a source tree, medium severity and up, JSON reportbandit -r ./src -ll -f json -o findings.jsonRun started:2026-07-14 09:12:03Test results:>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'changeme' Severity: Low Confidence: Medium Location: ./src/config.py:14:14>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified. Severity: High Confidence: High Location: ./src/tasks.py:52:8Code scanned: 1284 lines across 9 files, 2 issues (1 High, 1 Low)guidance
Use bandit when the target is Python source, not a running app. It reasons about code, scanners test the deployed service, so pair both for coverage. For many languages with one engine, reach for semgrep instead.
Pattern-based static analysis across many languages. bandit is Python-only but ships Python-specific plugins out of the box.
The equivalent security linter for Go. Same role, different language.
Security scanner for Ruby web apps. A sibling for a different stack.
faq
related
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Inspect Go source code for security problems by scanning the Go AST.
Python source feeds bandit, which builds an AST, runs its security plugins, and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.