Agent skill

sast-bandit

Python security vulnerability detection using Bandit SAST with CWE and OWASP mapping. Use when: (1) Scanning Python code for security vulnerabilities and anti-patterns, (2) Identifying hardcoded secrets, SQL injection, command injection, and insecure APIs, (3) Generating security reports with severity classifications for CI/CD pipelines, (4) Providing remediation guidance with security framework references, (5) Enforcing Python security best practices in development workflows.

View SKILL.md on GitHub Repository
Stars 84
Forks 15

Install this agent skill to your Project

npx add-skill https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/sast-bandit

SKILL.md

Bandit Python SAST

Overview

Bandit is a security-focused static analysis tool for Python that identifies common security vulnerabilities and coding anti-patterns. It parses Python code into Abstract Syntax Trees (AST) and executes security plugins to detect issues like hardcoded credentials, SQL injection, command injection, weak cryptography, and insecure API usage. Bandit provides actionable reports with severity classifications aligned to industry security standards.

Quick Start

Scan a Python file or directory for security vulnerabilities:

bash
# Install Bandit
pip install bandit

# Scan single file
bandit suspicious_file.py

# Scan entire directory recursively
bandit -r /path/to/python/project

# Generate JSON report
bandit -r project/ -f json -o bandit_report.json

# Scan with custom config
bandit -r project/ -c .bandit.yaml

Core Workflow

Step 1: Install and Configure Bandit

Install Bandit via pip:

bash
pip install bandit

Create a configuration file .bandit or .bandit.yaml to customize scans:

yaml
# .bandit.yaml
exclude_dirs:
  - /tests/
  - /venv/
  - /.venv/
  - /node_modules/

skips:
  - B101  # Skip assert_used checks in test files

tests:
  - B201  # Flask app run with debug=True
  - B301  # Pickle usage
  - B601  # Shell injection
  - B602  # Shell=True in subprocess

Step 2: Execute Security Scan

Run Bandit against Python codebase:

bash
# Basic scan with severity threshold
bandit -r . -ll  # Report only medium/high severity

# Comprehensive scan with detailed output
bandit -r . -f json -o report.json -v

# Scan with confidence filtering
bandit -r . -i  # Show only high confidence findings

# Exclude specific tests
bandit -r . -s B101,B601

Step 3: Analyze Results

Bandit reports findings with:

  • Issue Type: Vulnerability category (e.g., hardcoded_password, sql_injection)
  • Severity: LOW, MEDIUM, HIGH
  • Confidence: LOW, MEDIUM, HIGH
  • CWE: Common Weakness Enumeration reference
  • Location: File path and line number

Example output:

>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'admin123'
   Severity: Medium   Confidence: Medium
   CWE: CWE-259 (Use of Hard-coded Password)
   Location: app/config.py:12

Step 4: Prioritize Findings

Focus remediation efforts using this priority matrix:

  1. Critical: HIGH severity + HIGH confidence
  2. High: HIGH severity OR MEDIUM severity + HIGH confidence
  3. Medium: MEDIUM severity + MEDIUM confidence
  4. Low: LOW severity OR LOW confidence

Step 5: Remediate Vulnerabilities

For each finding, consult the bundled references/remediation_guide.md for secure coding patterns. Common remediation strategies:

  • Hardcoded Secrets (B105, B106): Use environment variables or secret management services
  • SQL Injection (B608): Use parameterized queries with SQLAlchemy or psycopg2
  • Command Injection (B602, B605): Avoid shell=True, use shlex.split() for argument parsing
  • Weak Cryptography (B303, B304): Replace MD5/SHA1 with SHA256/SHA512 or bcrypt for passwords
  • Insecure Deserialization (B301): Avoid pickle, use JSON or MessagePack with schema validation

Step 6: Integrate into CI/CD

Add Bandit to CI/CD pipelines to enforce security gates:

yaml
# .github/workflows/security-scan.yml
name: Security Scan
on: [push, pull_request]

jobs:
  bandit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - name: Install Bandit
        run: pip install bandit
      - name: Run Bandit
        run: bandit -r . -f json -o bandit-report.json
      - name: Check for high severity issues
        run: bandit -r . -ll -f txt || exit 1

Use the bundled script scripts/bandit_analyzer.py for enhanced reporting with OWASP mapping.

Security Considerations

  • Sensitive Data Handling: Bandit reports may contain code snippets with hardcoded credentials. Ensure reports are stored securely and access is restricted. Use --no-code flag to exclude code snippets from reports.

  • Access Control: Run Bandit in sandboxed CI/CD environments with read-only access to source code. Restrict write permissions to prevent tampering with security configurations.

  • Audit Logging: Log all Bandit executions with timestamps, scan scope, findings count, and operator identity for security auditing and compliance purposes.

  • Compliance: Bandit supports SOC2, PCI-DSS, and GDPR compliance by identifying security weaknesses. Document scan frequency, remediation timelines, and exception approvals for audit trails.

  • False Positives: Review LOW confidence findings manually. Use inline # nosec comments sparingly and document justifications in code review processes.

Bundled Resources

Scripts (scripts/)

  • bandit_analyzer.py - Enhanced Bandit wrapper that parses JSON output, maps findings to OWASP Top 10, generates HTML reports, and integrates with ticketing systems. Use for comprehensive security reporting.

References (references/)

  • remediation_guide.md - Detailed secure coding patterns for common Bandit findings, including code examples for SQLAlchemy parameterization, secure subprocess usage, and cryptographic best practices. Consult when remediating specific vulnerability types.

  • cwe_owasp_mapping.md - Complete mapping between Bandit issue codes, CWE identifiers, and OWASP Top 10 categories. Use for security framework alignment and compliance reporting.

Assets (assets/)

  • bandit_config.yaml - Production-ready Bandit configuration with optimized test selection, exclusion patterns for common false positives, and severity thresholds. Use as baseline configuration for projects.

  • pre-commit-config.yaml - Pre-commit hook configuration for Bandit integration. Prevents commits with HIGH severity findings.

Common Patterns

Pattern 1: Baseline Security Scan

Establish security baseline for legacy codebases:

bash
# Generate baseline report
bandit -r . -f json -o baseline.json

# Compare future scans against baseline
bandit -r . -f json -o current.json
diff <(jq -S . baseline.json) <(jq -S . current.json)

Pattern 2: Security Gating in Pull Requests

Block merges with HIGH severity findings:

bash
# Exit with error if HIGH severity issues found
bandit -r . -lll -f txt
if [ $? -ne 0 ]; then
    echo "HIGH severity security issues detected - blocking merge"
    exit 1
fi

Pattern 3: Progressive Security Hardening

Incrementally increase security standards:

bash
# Phase 1: Block only CRITICAL (HIGH severity + HIGH confidence)
bandit -r . -ll -i

# Phase 2: Block HIGH severity
bandit -r . -ll

# Phase 3: Block MEDIUM and above
bandit -r . -l

Pattern 4: Suppressing False Positives

Document exceptions inline with justification:

python
# Example: Suppressing pickle warning for internal serialization
import pickle  # nosec B301 - Internal cache, not user input

def load_cache(file_path):
    with open(file_path, 'rb') as f:
        return pickle.load(f)  # nosec B301

Integration Points

  • CI/CD: Integrate as GitHub Actions, GitLab CI, Jenkins pipeline stage, or pre-commit hook. Use scripts/bandit_analyzer.py for enhanced reporting.

  • Security Tools: Combine with Semgrep for additional SAST coverage, Safety for dependency scanning, and SonarQube for code quality metrics.

  • SDLC: Execute during development (pre-commit), code review (PR checks), and release gates (pipeline stage). Establish baseline scans for legacy code and enforce strict checks for new code.

  • Ticketing Integration: Use scripts/bandit_analyzer.py to automatically create Jira/GitHub issues for HIGH severity findings with remediation guidance.

Troubleshooting

Issue: Too Many False Positives

Solution:

  1. Use confidence filtering: bandit -r . -i (HIGH confidence only)
  2. Exclude test files: bandit -r . --exclude /tests/
  3. Customize .bandit.yaml to skip specific tests for known safe patterns
  4. Review and suppress with inline # nosec comments with justification

Issue: Scan Performance on Large Codebases

Solution:

  1. Exclude dependencies: Add /venv/, /.venv/, /site-packages/ to .bandit.yaml exclude_dirs
  2. Use multiprocessing: Bandit automatically parallelizes for directories
  3. Scan only changed files in CI/CD: git diff --name-only origin/main | grep '.py$' | xargs bandit

Issue: Missing Specific Vulnerability Types

Solution:

  1. Check enabled tests: bandit -l (list all tests)
  2. Ensure tests are not skipped in .bandit.yaml
  3. Combine with Semgrep for additional coverage (e.g., business logic vulnerabilities)
  4. Update Bandit regularly: pip install --upgrade bandit

Issue: Integration with Pre-commit Hooks

Solution: Use the bundled assets/pre-commit-config.yaml:

yaml
- repo: https://github.com/PyCQA/bandit
  rev: '1.7.5'
  hooks:
    - id: bandit
      args: ['-ll', '--recursive', '--configfile', '.bandit.yaml']

Install hooks: pre-commit install

References

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

AgentSecOps/SecOpsAgentKit

policy-opa

Policy-as-code enforcement and compliance validation using Open Policy Agent (OPA). Use when: (1) Enforcing security and compliance policies across infrastructure and applications, (2) Validating Kubernetes admission control policies, (3) Implementing policy-as-code for compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA), (4) Testing and evaluating OPA Rego policies, (5) Integrating policy checks into CI/CD pipelines, (6) Auditing configuration drift against organizational security standards, (7) Implementing least-privilege access controls.

84 15
Explore
AgentSecOps/SecOpsAgentKit

ir-velociraptor

Endpoint visibility, digital forensics, and incident response using Velociraptor Query Language (VQL) for evidence collection and threat hunting at scale. Use when: (1) Conducting forensic investigations across multiple endpoints, (2) Hunting for indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry and artifacts for incident analysis, (4) Performing live response and evidence preservation, (5) Monitoring endpoints for security events, (6) Creating custom forensic artifacts for specific threat scenarios.

84 15
Explore
AgentSecOps/SecOpsAgentKit

forensics-osquery

SQL-powered forensic investigation and system interrogation using osquery to query operating systems as relational databases. Enables rapid evidence collection, threat hunting, and incident response across Linux, macOS, and Windows endpoints. Use when: (1) Investigating security incidents and collecting forensic artifacts, (2) Threat hunting across endpoints for suspicious activity, (3) Analyzing running processes, network connections, and persistence mechanisms, (4) Collecting system state during incident response, (5) Querying file hashes, user activity, and system configuration for compromise indicators, (6) Building detection queries for continuous monitoring with osqueryd.

84 15
Explore
AgentSecOps/SecOpsAgentKit

detection-sigma

Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.

84 15
Explore
AgentSecOps/SecOpsAgentKit

skill-name

[REQUIRED] Comprehensive description of what this skill does and when to use it. Include: (1) Primary functionality, (2) Specific use cases, (3) Security operations context. Must include specific "Use when:" clause for skill discovery. Example: "SAST vulnerability analysis and remediation guidance using Semgrep and industry security standards. Use when: (1) Analyzing static code for security vulnerabilities, (2) Prioritizing security findings by severity, (3) Providing secure coding remediation, (4) Integrating security checks into CI/CD pipelines." Maximum 1024 characters.

84 15
Explore
AgentSecOps/SecOpsAgentKit

pytm

Python-based threat modeling using pytm library for programmatic STRIDE analysis, data flow diagram generation, and automated security threat identification. Use when: (1) Creating threat models programmatically using Python code, (2) Generating data flow diagrams (DFDs) with automatic STRIDE threat identification, (3) Integrating threat modeling into CI/CD pipelines and shift-left security practices, (4) Analyzing system architecture for security threats across trust boundaries, (5) Producing threat reports with STRIDE categories and mitigation recommendations, (6) Maintaining threat models as code for version control and automation.

84 15
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results